[v8-dev] Merged r18116 into 3.22 branch. (issue 137203010)

jkummerow Wed, 22 Jan 2014 04:22:10 -0800

Reviewers: ulan,

Description:
Merged r18116 into 3.22 branch.


Fix missing bounds check in n-arguments Array constructor.

BUG=v8:3027
[email protected]

Please review this at https://codereview.chromium.org/137203010/

SVN Base: https://v8.googlecode.com/svn/branches/3.22

Affected files (+23, -17 lines):
  M src/code-stubs-hydrogen.cc
  M src/version.cc
  A + test/mjsunit/regress/regress-3027.js


Index: src/code-stubs-hydrogen.cc
diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc

index19b6088dd1d0db00e348fdf5cab3773002eb6e66..3232a74cc34cb5f960fdbf89b8ddb0edc54d2be4100644

--- a/src/code-stubs-hydrogen.cc
+++ b/src/code-stubs-hydrogen.cc

@@ -721,15 +721,23 @@ HValue*CodeStubGraphBuilderBase::BuildArraySingleArgumentConstructor(


 HValue* CodeStubGraphBuilderBase::BuildArrayNArgumentsConstructor(
     JSArrayBuilder* array_builder, ElementsKind kind) {
+  // Insert a bounds check because the number of arguments might exceed
+  // the kInitialMaxFastElementArray limit. This cannot happen for code
+  // that was parsed, but calling via Array.apply(thisArg, [...]) might
+  // trigger it.
+  HValue* length = GetArgumentsLength();
+  HConstant* max_alloc_length =
+      Add<HConstant>(JSObject::kInitialMaxFastElementArray);
+  HValue* checked_length = Add<HBoundsCheck>(length, max_alloc_length);
+

// We need to fill with the hole if it's a smi array in themulti-argument

   // case because we might have to bail out while copying arguments into
   // the array because they aren't compatible with a smi array.
   // If it's a double array, no problem, and if it's fast then no
   // problem either because doubles are boxed.
-  HValue* length = GetArgumentsLength();
   bool fill_with_hole = IsFastSmiElementsKind(kind);
-  HValue* new_object = array_builder->AllocateArray(length,
-                                                    length,
+  HValue* new_object = array_builder->AllocateArray(checked_length,
+                                                    checked_length,
                                                     fill_with_hole);
   HValue* elements = array_builder->GetElementsLocation();
   ASSERT(elements != NULL);

@@ -739,10 +747,10 @@ HValue*CodeStubGraphBuilderBase::BuildArrayNArgumentsConstructor(

                       context(),
                       LoopBuilder::kPostIncrement);
   HValue* start = graph()->GetConstant0();
-  HValue* key = builder.BeginBody(start, length, Token::LT);
+  HValue* key = builder.BeginBody(start, checked_length, Token::LT);
   HInstruction* argument_elements = Add<HArgumentsElements>(false);
   HInstruction* argument = Add<HAccessArgumentsAt>(
-      argument_elements, length, key);
+      argument_elements, checked_length, key);

   Add<HStoreKeyed>(elements, key, argument, kind);
   builder.EndBody();
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc

index685fde02891a5f9aa721db7c8b7d2e059ab6fbcc..dfda1a3ba6d7adaef82b95abb6dd27f5105e4021100644

--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     22
 #define BUILD_NUMBER      24
-#define PATCH_LEVEL       16
+#define PATCH_LEVEL       17
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-3027.js

diff --git a/test/mjsunit/regress/regress-331444.jsb/test/mjsunit/regress/regress-3027.js

similarity index 85%
copy from test/mjsunit/regress/regress-331444.js
copy to test/mjsunit/regress/regress-3027.js

indexc78d6fb71b7c455abfcd1450d80b5c8a6dcb6e38..c7ebd539b685763ae30c778922c484d64ae44e6b100644

--- a/test/mjsunit/regress/regress-331444.js
+++ b/test/mjsunit/regress/regress-3027.js
@@ -1,4 +1,4 @@
-// Copyright 2014 the V8 project authors. All rights reserved.
+// Copyright 2013 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -25,20 +25,18 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-// Flags: --expose-gc
+// Test to exceed the Heap::MaxRegularSpaceAllocationSize with an array
+// constructor call taking many arguments.

 function boom() {
   var args = [];
-  for (var i = 0; i < 125000; i++)
+  for (var i = 0; i < 125000; i++) {
     args.push(i);
+  }
   return Array.apply(Array, args);
 }
+
 var array = boom();
-function fib(n) {
-  var f0 = 0, f1 = 1;
-  for (; n > 0; n = n - 1) {
-    f0 + f1;
-    f0 = array;
-  }
-}
-fib(12);
+
+assertEquals(125000, array.length);
+assertEquals(124999, array[124999]);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

---You received this message because you are subscribed to the Google Groups "v8-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[v8-dev] Merged r18116 into 3.22 branch. (issue 137203010)

Reply via email to