Revision: 18740
Author: [email protected]
Date: Wed Jan 22 12:28:46 2014 UTC
Log: Merged r18116 into 3.22 branch.
Fix missing bounds check in n-arguments Array constructor.
BUG=v8:3027
[email protected]
Review URL: https://codereview.chromium.org/137203010
http://code.google.com/p/v8/source/detail?r=18740
Added:
/branches/3.22/test/mjsunit/regress/regress-3027.js
Modified:
/branches/3.22/src/code-stubs-hydrogen.cc
/branches/3.22/src/version.cc
=======================================
--- /dev/null
+++ /branches/3.22/test/mjsunit/regress/regress-3027.js Wed Jan 22 12:28:46
2014 UTC
@@ -0,0 +1,42 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Test to exceed the Heap::MaxRegularSpaceAllocationSize with an array
+// constructor call taking many arguments.
+
+function boom() {
+ var args = [];
+ for (var i = 0; i < 125000; i++) {
+ args.push(i);
+ }
+ return Array.apply(Array, args);
+}
+
+var array = boom();
+
+assertEquals(125000, array.length);
+assertEquals(124999, array[124999]);
=======================================
--- /branches/3.22/src/code-stubs-hydrogen.cc Thu Nov 21 14:01:32 2013 UTC
+++ /branches/3.22/src/code-stubs-hydrogen.cc Wed Jan 22 12:28:46 2014 UTC
@@ -721,15 +721,23 @@
HValue* CodeStubGraphBuilderBase::BuildArrayNArgumentsConstructor(
JSArrayBuilder* array_builder, ElementsKind kind) {
+ // Insert a bounds check because the number of arguments might exceed
+ // the kInitialMaxFastElementArray limit. This cannot happen for code
+ // that was parsed, but calling via Array.apply(thisArg, [...]) might
+ // trigger it.
+ HValue* length = GetArgumentsLength();
+ HConstant* max_alloc_length =
+ Add<HConstant>(JSObject::kInitialMaxFastElementArray);
+ HValue* checked_length = Add<HBoundsCheck>(length, max_alloc_length);
+
// We need to fill with the hole if it's a smi array in the
multi-argument
// case because we might have to bail out while copying arguments into
// the array because they aren't compatible with a smi array.
// If it's a double array, no problem, and if it's fast then no
// problem either because doubles are boxed.
- HValue* length = GetArgumentsLength();
bool fill_with_hole = IsFastSmiElementsKind(kind);
- HValue* new_object = array_builder->AllocateArray(length,
- length,
+ HValue* new_object = array_builder->AllocateArray(checked_length,
+ checked_length,
fill_with_hole);
HValue* elements = array_builder->GetElementsLocation();
ASSERT(elements != NULL);
@@ -739,10 +747,10 @@
context(),
LoopBuilder::kPostIncrement);
HValue* start = graph()->GetConstant0();
- HValue* key = builder.BeginBody(start, length, Token::LT);
+ HValue* key = builder.BeginBody(start, checked_length, Token::LT);
HInstruction* argument_elements = Add<HArgumentsElements>(false);
HInstruction* argument = Add<HAccessArgumentsAt>(
- argument_elements, length, key);
+ argument_elements, checked_length, key);
Add<HStoreKeyed>(elements, key, argument, kind);
builder.EndBody();
=======================================
--- /branches/3.22/src/version.cc Tue Jan 21 20:07:40 2014 UTC
+++ /branches/3.22/src/version.cc Wed Jan 22 12:28:46 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 22
#define BUILD_NUMBER 24
-#define PATCH_LEVEL 16
+#define PATCH_LEVEL 17
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
