Revision: 17956
Author: [email protected]
Date: Thu Nov 21 10:18:28 2013 UTC
Log: Merged r17800, r17801 into 3.22 branch.
Limit the size for typed arrays to MaxSmi.
Limit size of dehoistable array indices
BUG=319722,chromium:319835,chromium:319860
[email protected]
Review URL: https://codereview.chromium.org/80643002
http://code.google.com/p/v8/source/detail?r=17956
Added:
/branches/3.22/test/mjsunit/regress/regress-319722-ArrayBuffer.js
/branches/3.22/test/mjsunit/regress/regress-319722-TypedArrays.js
/branches/3.22/test/mjsunit/regress/regress-crbug-319835.js
/branches/3.22/test/mjsunit/regress/regress-crbug-319860.js
Modified:
/branches/3.22/src/d8.cc
/branches/3.22/src/elements-kind.cc
/branches/3.22/src/elements-kind.h
/branches/3.22/src/hydrogen-dehoist.cc
/branches/3.22/src/hydrogen-instructions.h
/branches/3.22/src/lithium.cc
/branches/3.22/src/lithium.h
/branches/3.22/src/runtime.cc
/branches/3.22/src/runtime.h
/branches/3.22/src/typedarray.js
/branches/3.22/src/version.cc
=======================================
--- /dev/null
+++ /branches/3.22/test/mjsunit/regress/regress-319722-ArrayBuffer.js Thu
Nov 21 10:18:28 2013 UTC
@@ -0,0 +1,47 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --nostress-opt --allow-natives-syntax
+var maxSize = %MaxSmi() + 1;
+var ab = new ArrayBuffer(maxSize);
+
+function TestArray(constr) {
+ assertThrows(function() {
+ new constr(ab, 0, maxSize);
+ }, RangeError);
+}
+
+TestArray(Uint8Array);
+TestArray(Int8Array);
+TestArray(Uint16Array);
+TestArray(Int16Array);
+TestArray(Uint32Array);
+TestArray(Int32Array);
+TestArray(Float32Array);
+TestArray(Float64Array);
+TestArray(Uint8ClampedArray);
+
=======================================
--- /dev/null
+++ /branches/3.22/test/mjsunit/regress/regress-319722-TypedArrays.js Thu
Nov 21 10:18:28 2013 UTC
@@ -0,0 +1,45 @@
+
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --nostress-opt --allow-natives-syntax
+var maxSize = %MaxSmi() + 1;
+function TestArray(constr) {
+ assertThrows(function() {
+ new constr(maxSize);
+ }, RangeError);
+}
+
+TestArray(Uint8Array);
+TestArray(Int8Array);
+TestArray(Uint16Array);
+TestArray(Int16Array);
+TestArray(Uint32Array);
+TestArray(Int32Array);
+TestArray(Float32Array);
+TestArray(Float64Array);
+TestArray(Uint8ClampedArray);
=======================================
--- /dev/null
+++ /branches/3.22/test/mjsunit/regress/regress-crbug-319835.js Thu Nov 21
10:18:28 2013 UTC
@@ -0,0 +1,51 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+try {} catch(e) {} // No need to optimize the top level.
+
+var size = 0x20000;
+var a = new Float64Array(size);
+var training = new Float64Array(10);
+function store(a, index) {
+ var offset = 0x20000000;
+ for (var i = 0; i < 1; i++) {
+ a[index + offset] = 0xcc;
+ }
+}
+
+store(training, -0x20000000);
+store(training, -0x20000000 + 1);
+store(training, -0x20000000);
+store(training, -0x20000000 + 1);
+%OptimizeFunctionOnNextCall(store);
+
+// Segfault maybe?
+for (var i = -0x20000000; i < -0x20000000 + size; i++) {
+ store(a, i);
+}
=======================================
--- /dev/null
+++ /branches/3.22/test/mjsunit/regress/regress-crbug-319860.js Thu Nov 21
10:18:28 2013 UTC
@@ -0,0 +1,47 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function read(a, index) {
+ var offset = 0x2000000;
+ var result;
+ for (var i = 0; i < 1; i++) {
+ result = a[index + offset];
+ }
+ return result;
+}
+
+var a = new Int8Array(0x2000001);
+read(a, 0);
+read(a, 0);
+%OptimizeFunctionOnNextCall(read);
+
+// Segfault maybe?
+for (var i = 0; i > -1000000; --i) {
+ read(a, i);
+}
=======================================
--- /branches/3.22/src/d8.cc Fri Oct 25 09:22:31 2013 UTC
+++ /branches/3.22/src/d8.cc Thu Nov 21 10:18:28 2013 UTC
@@ -1358,6 +1358,9 @@
if (strcmp(argv[i], "--stress-opt") == 0) {
options.stress_opt = true;
argv[i] = NULL;
+ } else if (strcmp(argv[i], "--nostress-opt") == 0) {
+ options.stress_opt = false;
+ argv[i] = NULL;
} else if (strcmp(argv[i], "--stress-deopt") == 0) {
options.stress_deopt = true;
argv[i] = NULL;
=======================================
--- /branches/3.22/src/elements-kind.cc Mon Jul 8 08:38:06 2013 UTC
+++ /branches/3.22/src/elements-kind.cc Thu Nov 21 10:18:28 2013 UTC
@@ -35,6 +35,36 @@
namespace internal {
+int ElementsKindToShiftSize(ElementsKind elements_kind) {
+ switch (elements_kind) {
+ case EXTERNAL_BYTE_ELEMENTS:
+ case EXTERNAL_PIXEL_ELEMENTS:
+ case EXTERNAL_UNSIGNED_BYTE_ELEMENTS:
+ return 0;
+ case EXTERNAL_SHORT_ELEMENTS:
+ case EXTERNAL_UNSIGNED_SHORT_ELEMENTS:
+ return 1;
+ case EXTERNAL_INT_ELEMENTS:
+ case EXTERNAL_UNSIGNED_INT_ELEMENTS:
+ case EXTERNAL_FLOAT_ELEMENTS:
+ return 2;
+ case EXTERNAL_DOUBLE_ELEMENTS:
+ case FAST_DOUBLE_ELEMENTS:
+ case FAST_HOLEY_DOUBLE_ELEMENTS:
+ return 3;
+ case FAST_SMI_ELEMENTS:
+ case FAST_ELEMENTS:
+ case FAST_HOLEY_SMI_ELEMENTS:
+ case FAST_HOLEY_ELEMENTS:
+ case DICTIONARY_ELEMENTS:
+ case NON_STRICT_ARGUMENTS_ELEMENTS:
+ return kPointerSizeLog2;
+ }
+ UNREACHABLE();
+ return 0;
+}
+
+
const char* ElementsKindToString(ElementsKind kind) {
ElementsAccessor* accessor = ElementsAccessor::ForKind(kind);
return accessor->name();
=======================================
--- /branches/3.22/src/elements-kind.h Mon Jul 15 15:27:21 2013 UTC
+++ /branches/3.22/src/elements-kind.h Thu Nov 21 10:18:28 2013 UTC
@@ -77,6 +77,7 @@
const int kFastElementsKindCount = LAST_FAST_ELEMENTS_KIND -
FIRST_FAST_ELEMENTS_KIND + 1;
+int ElementsKindToShiftSize(ElementsKind elements_kind);
const char* ElementsKindToString(ElementsKind kind);
void PrintElementsKind(FILE* out, ElementsKind kind);
=======================================
--- /branches/3.22/src/hydrogen-dehoist.cc Mon Aug 12 16:17:40 2013 UTC
+++ /branches/3.22/src/hydrogen-dehoist.cc Thu Nov 21 10:18:28 2013 UTC
@@ -53,7 +53,7 @@
int32_t value = constant->Integer32Value() * sign;
// We limit offset values to 30 bits because we want to avoid the risk of
// overflows when the offset is added to the object header size.
- if (value >= 1 << 30 || value < 0) return;
+ if (value >= 1 << array_operation->MaxIndexOffsetBits() || value < 0)
return;
array_operation->SetKey(subexpression);
if (binary_operation->HasNoUses()) {
binary_operation->DeleteAndReplaceWith(NULL);
=======================================
--- /branches/3.22/src/hydrogen-instructions.h Tue Nov 19 12:54:11 2013 UTC
+++ /branches/3.22/src/hydrogen-instructions.h Thu Nov 21 10:18:28 2013 UTC
@@ -6074,6 +6074,7 @@
virtual HValue* GetKey() = 0;
virtual void SetKey(HValue* key) = 0;
virtual void SetIndexOffset(uint32_t index_offset) = 0;
+ virtual int MaxIndexOffsetBits() = 0;
virtual bool IsDehoisted() = 0;
virtual void SetDehoisted(bool is_dehoisted) = 0;
virtual ~ArrayInstructionInterface() { };
@@ -6113,6 +6114,9 @@
void SetIndexOffset(uint32_t index_offset) {
bit_field_ = IndexOffsetField::update(bit_field_, index_offset);
}
+ virtual int MaxIndexOffsetBits() {
+ return kBitsForIndexOffset;
+ }
HValue* GetKey() { return key(); }
void SetKey(HValue* key) { SetOperandAt(1, key); }
bool IsDehoisted() { return IsDehoistedField::decode(bit_field_); }
@@ -6496,6 +6500,9 @@
ElementsKind elements_kind() const { return elements_kind_; }
uint32_t index_offset() { return index_offset_; }
void SetIndexOffset(uint32_t index_offset) { index_offset_ =
index_offset; }
+ virtual int MaxIndexOffsetBits() {
+ return 31 - ElementsKindToShiftSize(elements_kind_);
+ }
HValue* GetKey() { return key(); }
void SetKey(HValue* key) { SetOperandAt(1, key); }
bool IsDehoisted() { return is_dehoisted_; }
=======================================
--- /branches/3.22/src/lithium.cc Mon Nov 18 08:39:25 2013 UTC
+++ /branches/3.22/src/lithium.cc Thu Nov 21 10:18:28 2013 UTC
@@ -231,36 +231,6 @@
}
stream->Add("}");
}
-
-
-int ElementsKindToShiftSize(ElementsKind elements_kind) {
- switch (elements_kind) {
- case EXTERNAL_BYTE_ELEMENTS:
- case EXTERNAL_PIXEL_ELEMENTS:
- case EXTERNAL_UNSIGNED_BYTE_ELEMENTS:
- return 0;
- case EXTERNAL_SHORT_ELEMENTS:
- case EXTERNAL_UNSIGNED_SHORT_ELEMENTS:
- return 1;
- case EXTERNAL_INT_ELEMENTS:
- case EXTERNAL_UNSIGNED_INT_ELEMENTS:
- case EXTERNAL_FLOAT_ELEMENTS:
- return 2;
- case EXTERNAL_DOUBLE_ELEMENTS:
- case FAST_DOUBLE_ELEMENTS:
- case FAST_HOLEY_DOUBLE_ELEMENTS:
- return 3;
- case FAST_SMI_ELEMENTS:
- case FAST_ELEMENTS:
- case FAST_HOLEY_SMI_ELEMENTS:
- case FAST_HOLEY_ELEMENTS:
- case DICTIONARY_ELEMENTS:
- case NON_STRICT_ARGUMENTS_ELEMENTS:
- return kPointerSizeLog2;
- }
- UNREACHABLE();
- return 0;
-}
int StackSlotOffset(int index) {
=======================================
--- /branches/3.22/src/lithium.h Tue Oct 22 08:00:09 2013 UTC
+++ /branches/3.22/src/lithium.h Thu Nov 21 10:18:28 2013 UTC
@@ -791,7 +791,6 @@
};
-int ElementsKindToShiftSize(ElementsKind elements_kind);
int StackSlotOffset(int index);
enum NumberUntagDMode {
=======================================
--- /branches/3.22/src/runtime.cc Thu Nov 14 06:44:36 2013 UTC
+++ /branches/3.22/src/runtime.cc Thu Nov 21 10:18:28 2013 UTC
@@ -922,6 +922,12 @@
ASSERT(byte_length % element_size == 0);
size_t length = byte_length / element_size;
+ if (length > static_cast<unsigned>(Smi::kMaxValue)) {
+ return isolate->Throw(*isolate->factory()->
+ NewRangeError("invalid_typed_array_length",
+ HandleVector<Object>(NULL, 0)));
+ }
+
Handle<Object> length_obj =
isolate->factory()->NewNumberFromSize(length);
holder->set_length(*length_obj);
holder->set_weak_next(buffer->weak_first_view());
@@ -961,9 +967,11 @@
Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
size_t length = NumberToSize(isolate, *length_obj);
- if (length > (kMaxInt / element_size)) {
+
+ if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
+ (length > (kMaxInt / element_size))) {
return isolate->Throw(*isolate->factory()->
- NewRangeError("invalid_array_buffer_length",
+ NewRangeError("invalid_typed_array_length",
HandleVector<Object>(NULL, 0)));
}
size_t byte_length = length * element_size;
@@ -14787,6 +14795,11 @@
Handle<Object>::null(),
caller_args);
}
+
+
+RUNTIME_FUNCTION(MaybeObject*, Runtime_MaxSmi) {
+ return Smi::FromInt(Smi::kMaxValue);
+}
//
----------------------------------------------------------------------------
=======================================
--- /branches/3.22/src/runtime.h Tue Oct 15 08:25:05 2013 UTC
+++ /branches/3.22/src/runtime.h Thu Nov 21 10:18:28 2013 UTC
@@ -112,6 +112,7 @@
F(FlattenString, 1, 1) \
F(MigrateInstance, 1, 1) \
F(NotifyContextDisposed, 0, 1) \
+ F(MaxSmi, 0, 1) \
\
/* Array join support */ \
F(PushIfAbsent, 2, 1) \
=======================================
--- /branches/3.22/src/typedarray.js Wed Oct 16 09:00:56 2013 UTC
+++ /branches/3.22/src/typedarray.js Thu Nov 21 10:18:28 2013 UTC
@@ -69,6 +69,9 @@
function ConstructByLength(obj, length) {
var l = ToPositiveInteger(length, "invalid_typed_array_length");
+ if (l > %MaxSmi()) {
+ throw MakeRangeError("invalid_typed_array_length");
+ }
var byteLength = l * elementSize;
var buffer = new $ArrayBuffer(byteLength);
%TypedArrayInitialize(obj, arrayId, buffer, 0, byteLength);
=======================================
--- /branches/3.22/src/version.cc Tue Nov 19 12:54:11 2013 UTC
+++ /branches/3.22/src/version.cc Thu Nov 21 10:18:28 2013 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 22
#define BUILD_NUMBER 24
-#define PATCH_LEVEL 6
+#define PATCH_LEVEL 7
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
