Reviewers: Jakob,
Message:
PTAL
Description:
Ensure that length is Smi in TypedArrayFromArrayLike constructor.
[email protected]
BUG=324028
LOG=Y
Please review this at https://codereview.chromium.org/94473002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+13, -21 lines):
M src/typedarray.js
A + test/mjsunit/regress/regress-324028.js
Index: src/typedarray.js
diff --git a/src/typedarray.js b/src/typedarray.js
index
fc3a608f46ff83afd30b4b1108ac1f24e2419602..e15c4c17b13c31423e23d047eb1684882da6e005
100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -98,6 +98,9 @@ macro TYPED_ARRAY_CONSTRUCTOR(ARRAY_ID, NAME,
ELEMENT_SIZE)
function NAMEConstructByArrayLike(obj, arrayLike) {
var length = arrayLike.length;
var l = ToPositiveInteger(length, "invalid_typed_array_length");
+ if (l > %MaxSmi()) {
+ throw MakeRangeError("invalid_typed_array_length");
+ }
if(!%TypedArrayInitializeFromArrayLike(obj, ARRAY_ID, arrayLike, l)) {
for (var i = 0; i < l; i++) {
// It is crucial that we let any execptions from arrayLike[i]
Index: test/mjsunit/regress/regress-324028.js
diff --git a/test/intl/break-iterator/protected-icu-internals.js
b/test/mjsunit/regress/regress-324028.js
similarity index 71%
copy from test/intl/break-iterator/protected-icu-internals.js
copy to test/mjsunit/regress/regress-324028.js
index
ad1dc54fbedf1f52687834bcbd1c64ee2a1dc4b1..7fe0fcd81f90a58ef19d8dc3c44b99d72f281ea7
100644
--- a/test/intl/break-iterator/protected-icu-internals.js
+++ b/test/mjsunit/regress/regress-324028.js
@@ -25,25 +25,14 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Internal object we got from native code should not be writable,
-// configurable or enumerable. One can still change its public properties,
but
-// we don't use them to do actual work.
+var badObj = { length : 1e40 };
-var iterator = new Intl.v8BreakIterator([]);
-
-// Direct write should fail.
-iterator.iterator = {'zzz':'some random object'};
-
-assertFalse(iterator.iterator.hasOwnProperty('zzz'));
-
-// Try redefining the property.
-var didThrow = false;
-try {
- Object.defineProperty(iterator, 'iterator', {value: undefined});
-} catch(e) {
- didThrow = true;
-}
-assertTrue(didThrow);
-
-// Try deleting the property.
-assertFalse(delete iterator.iterator);
+assertThrows(function() { new Uint8Array(badObj); }, RangeError);
+assertThrows(function() { new Uint8ClampedArray(badObj); }, RangeError);
+assertThrows(function() { new Int8Array(badObj); }, RangeError);
+assertThrows(function() { new Uint16Array(badObj); }, RangeError);
+assertThrows(function() { new Int16Array(badObj); }, RangeError);
+assertThrows(function() { new Uint32Array(badObj); }, RangeError);
+assertThrows(function() { new Int32Array(badObj); }, RangeError);
+assertThrows(function() { new Float32Array(badObj); }, RangeError);
+assertThrows(function() { new Float64Array(badObj); }, RangeError);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
