Reviewers: Dmitry Lomov (chromium),
Message:
As discussed, this is my current work in progress. Any comments so far?
https://codereview.chromium.org/239313002/diff/1/src/runtime.cc
File src/runtime.cc (right):
https://codereview.chromium.org/239313002/diff/1/src/runtime.cc#newcode565
src/runtime.cc:565: RUNTIME_ASSERT(literals_index >= 0 && literals_index
< literals->length());
Urgh. After rebasing, this doesn't compile any more. Will have to
refactor this.
https://codereview.chromium.org/239313002/diff/1/src/runtime.cc#newcode862
src/runtime.cc:862: if (byteLength->IsSmi()) {
Come to think of it, we can probably just call NumberToSize(byteLength)
here.
https://codereview.chromium.org/239313002/diff/1/src/runtime.cc#newcode902
src/runtime.cc:902: size_t start = NumberToSize(isolate, first);
As discussed, we'll want to return an exception rather than CHECK()ing
in case of failure.
Description:
Harden runtime functions
Part 1 of many.
Please review this at https://codereview.chromium.org/239313002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+27, -28 lines):
M src/runtime.cc
M src/v8conversions.h
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
ab3e8ec3572136061e342288c9c1ba58ddaf8159..4e62be80af917afb403d5fd9889bd2c0ef9e5eb9
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -483,6 +483,8 @@ RUNTIME_FUNCTION(MaybeObject*,
RuntimeHidden_CreateObjectLiteral) {
bool should_have_fast_elements = (flags &
ObjectLiteral::kFastElements) != 0;
bool has_function_literal = (flags & ObjectLiteral::kHasFunction) != 0;
+ RUNTIME_ASSERT(literals_index >= 0 && literals_index <
literals->length());
+
// Check if boilerplate exists. If not, create it first.
Handle<Object> literal_site(literals->get(literals_index), isolate);
Handle<AllocationSite> site;
@@ -560,6 +562,7 @@ static MaybeHandle<JSObject>
CreateArrayLiteralImpl(Isolate* isolate,
int literals_index,
Handle<FixedArray> elements,
int flags) {
+ RUNTIME_ASSERT(literals_index >= 0 && literals_index <
literals->length());
Handle<AllocationSite> site;
ASSIGN_RETURN_ON_EXCEPTION(
isolate, site,
@@ -817,7 +820,7 @@ bool Runtime::SetupArrayBufferAllocatingData(
data = V8::ArrayBufferAllocator()->Allocate(allocated_length);
} else {
data =
-
V8::ArrayBufferAllocator()->AllocateUninitialized(allocated_length);
+
V8::ArrayBufferAllocator()->AllocateUninitialized(allocated_length);
}
if (data == NULL) return false;
} else {
@@ -854,30 +857,28 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_ArrayBufferInitialize) {
HandleScope scope(isolate);
ASSERT(args.length() == 2);
CONVERT_ARG_HANDLE_CHECKED(JSArrayBuffer, holder, 0);
- CONVERT_ARG_HANDLE_CHECKED(Object, byteLength, 1);
- size_t allocated_length;
+ CONVERT_ARG_HANDLE_CHECKED(Number, byteLength, 1);
+ size_t allocated_length = 0;
if (byteLength->IsSmi()) {
- allocated_length = Smi::cast(*byteLength)->value();
+ int smi_value = Smi::cast(*byteLength)->value();
+ RUNTIME_ASSERT(smi_value >= 0);
+ allocated_length = smi_value;
} else {
ASSERT(byteLength->IsHeapNumber());
double value = HeapNumber::cast(*byteLength)->value();
-
- ASSERT(value >= 0);
-
- if (value > std::numeric_limits<size_t>::max()) {
+ if (value < 0 || value > std::numeric_limits<size_t>::max()) {
return isolate->Throw(
*isolate->factory()->NewRangeError("invalid_array_buffer_length",
- HandleVector<Object>(NULL, 0)));
+ HandleVector<Object>(NULL,
0)));
}
-
allocated_length = static_cast<size_t>(value);
}
if (!Runtime::SetupArrayBufferAllocatingData(isolate,
holder, allocated_length)) {
- return isolate->Throw(*isolate->factory()->
- NewRangeError("invalid_array_buffer_length",
- HandleVector<Object>(NULL, 0)));
+ return isolate->Throw(
+ *isolate->factory()->NewRangeError("invalid_array_buffer_length",
+ HandleVector<Object>(NULL, 0)));
}
return *holder;
@@ -897,15 +898,15 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_ArrayBufferSliceImpl) {
ASSERT(args.length() == 3);
CONVERT_ARG_HANDLE_CHECKED(JSArrayBuffer, source, 0);
CONVERT_ARG_HANDLE_CHECKED(JSArrayBuffer, target, 1);
- CONVERT_DOUBLE_ARG_CHECKED(first, 2);
- size_t start = static_cast<size_t>(first);
+ CONVERT_ARG_HANDLE_CHECKED(Number, first, 2);
+ size_t start = NumberToSize(isolate, first);
size_t target_length = NumberToSize(isolate, target->byte_length());
if (target_length == 0) return isolate->heap()->undefined_value();
size_t source_byte_length = NumberToSize(isolate, source->byte_length());
- CHECK(start <= source_byte_length);
- CHECK(source_byte_length - start >= target_length);
+ RUNTIME_ASSERT(start <= source_byte_length);
+ RUNTIME_ASSERT(source_byte_length - start >= target_length);
uint8_t* source_data =
reinterpret_cast<uint8_t*>(source->backing_store());
uint8_t* target_data =
reinterpret_cast<uint8_t*>(target->backing_store());
CopyBytes(target_data, source_data + start, target_length);
@@ -917,14 +918,13 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_ArrayBufferIsView) {
HandleScope scope(isolate);
ASSERT(args.length() == 1);
CONVERT_ARG_CHECKED(Object, object, 0);
- return object->IsJSArrayBufferView()
- ? isolate->heap()->true_value()
- : isolate->heap()->false_value();
+ return isolate->heap()->ToBoolean(object->IsJSArrayBufferView());
}
RUNTIME_FUNCTION(MaybeObject*, Runtime_ArrayBufferNeuter) {
HandleScope scope(isolate);
+ ASSERT(args.length() == 1);
CONVERT_ARG_HANDLE_CHECKED(JSArrayBuffer, array_buffer, 0);
if (array_buffer->backing_store() == NULL) {
CHECK(Smi::FromInt(0) == array_buffer->byte_length());
@@ -970,8 +970,8 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_TypedArrayInitialize) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, holder, 0);
CONVERT_SMI_ARG_CHECKED(arrayId, 1);
CONVERT_ARG_HANDLE_CHECKED(Object, maybe_buffer, 2);
- CONVERT_ARG_HANDLE_CHECKED(Object, byte_offset_object, 3);
- CONVERT_ARG_HANDLE_CHECKED(Object, byte_length_object, 4);
+ CONVERT_ARG_HANDLE_CHECKED(Number, byte_offset_object, 3);
+ CONVERT_ARG_HANDLE_CHECKED(Number, byte_length_object, 4);
ASSERT(holder->GetInternalFieldCount() ==
v8::ArrayBufferView::kInternalFieldCount);
@@ -1000,9 +1000,9 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_TypedArrayInitialize) {
size_t length = byte_length / element_size;
if (length > static_cast<unsigned>(Smi::kMaxValue)) {
- return isolate->Throw(*isolate->factory()->
- NewRangeError("invalid_typed_array_length",
- HandleVector<Object>(NULL, 0)));
+ return isolate->Throw(
+ *isolate->factory()->NewRangeError("invalid_typed_array_length",
+ HandleVector<Object>(NULL, 0)));
}
Handle<Object> length_obj =
isolate->factory()->NewNumberFromSize(length);
Index: src/v8conversions.h
diff --git a/src/v8conversions.h b/src/v8conversions.h
index
b38dde74875dcb7798d5d7bc810e161a4529b7c4..eb315b18efd36cb6a2091451bd098c59dd1ec0c3
100644
--- a/src/v8conversions.h
+++ b/src/v8conversions.h
@@ -75,9 +75,8 @@ inline bool TryNumberToSize(Isolate* isolate,
SealHandleScope shs(isolate);
if (number->IsSmi()) {
int value = Smi::cast(number)->value();
- ASSERT(
- static_cast<unsigned>(Smi::kMaxValue)
- <= std::numeric_limits<size_t>::max());
+ ASSERT(static_cast<unsigned>(Smi::kMaxValue)
+ <= std::numeric_limits<size_t>::max());
if (value >= 0) {
*result = static_cast<size_t>(value);
return true;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
