Reviewers: jarin,
Message:
PTAL.
Description:
Harden more runtime functions
BUG=chromium:372239
LOG=n
Please review this at https://codereview.chromium.org/282493005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+18, -2 lines):
M src/hydrogen.cc
M src/objects.h
M src/runtime.cc
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
ba0fcab3114ca4628d3b354b172c74e4b1a4c73f..eea23c1a5383bf7fca78504dbe9c2039d0217d2d
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -8889,10 +8889,20 @@ void
HOptimizedGraphBuilder::GenerateTypedArrayInitialize(
CHECK_ALIVE(VisitForValue(arguments->at(kObjectArg)));
HValue* obj = Pop();
- ASSERT(arguments->at(kArrayIdArg)->node_type() == AstNode::kLiteral);
+ if (arguments->at(kArrayIdArg)->node_type() != AstNode::kLiteral) {
+ // This should never happen in real use, but can happen when fuzzing.
+ // Just bail out.
+ Bailout(kNeedSmiLiteral);
+ return;
+ }
Handle<Object> value =
static_cast<Literal*>(arguments->at(kArrayIdArg))->value();
- ASSERT(value->IsSmi());
+ if (!value->IsSmi()) {
+ // This should never happen in real use, but can happen when fuzzing.
+ // Just bail out.
+ Bailout(kNeedSmiLiteral);
+ return;
+ }
int array_id = Smi::cast(*value)->value();
HValue* buffer;
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index
fa399000b49f95cdf7e0f3314fb3109b7e116d16..d642e1e7da88b4f57bf49f79b485031f771a1ef3
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -1166,6 +1166,7 @@ template <class C> inline bool Is(Object* obj);
V(kModuleVariable, "Module
variable") \
V(kModuleUrl, "Module
url") \
V(kNativeFunctionLiteral, "Native function
literal") \
+ V(kNeedSmiLiteral, "Need a Smi literal
here") \
V(kNoCasesLeft, "No cases
left") \
V(kNoEmptyArraysHereInEmitFastAsciiArrayJoin,
\
"No empty arrays here in
EmitFastAsciiArrayJoin") \
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
abe9509a7d7e653fcdaa96fbc2fc8266c0f7ef14..722624b6eac5253f716f08647816b7aba3e197c3
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3030,6 +3030,8 @@ RUNTIME_FUNCTION(Runtime_FunctionSetLength) {
CONVERT_ARG_CHECKED(JSFunction, fun, 0);
CONVERT_SMI_ARG_CHECKED(length, 1);
+ RUNTIME_ASSERT((length & 0xC0000000) == 0xC0000000 ||
+ (length & 0xC0000000) == 0x000000000);
fun->shared()->set_length(length);
return isolate->heap()->undefined_value();
}
@@ -4882,6 +4884,7 @@ RUNTIME_FUNCTION(Runtime_NumberToFixed) {
int f = FastD2IChecked(f_number);
// See DoubleToFixedCString for these constants:
RUNTIME_ASSERT(f >= 0 && f <= 20);
+ RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToFixedCString(value, f);
Handle<String> result =
isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
@@ -4897,6 +4900,7 @@ RUNTIME_FUNCTION(Runtime_NumberToExponential) {
CONVERT_DOUBLE_ARG_CHECKED(f_number, 1);
int f = FastD2IChecked(f_number);
RUNTIME_ASSERT(f >= -1 && f <= 20);
+ RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToExponentialCString(value, f);
Handle<String> result =
isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
@@ -4912,6 +4916,7 @@ RUNTIME_FUNCTION(Runtime_NumberToPrecision) {
CONVERT_DOUBLE_ARG_CHECKED(f_number, 1);
int f = FastD2IChecked(f_number);
RUNTIME_ASSERT(f >= 1 && f <= 21);
+ RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToPrecisionCString(value, f);
Handle<String> result =
isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
