Revision: 21271
Author: [email protected]
Date: Mon May 12 15:30:00 2014 UTC
Log: Harden more runtime functions
BUG=chromium:372239
LOG=n
[email protected]
Review URL: https://codereview.chromium.org/282493005
http://code.google.com/p/v8/source/detail?r=21271
Modified:
/branches/bleeding_edge/src/hydrogen.cc
/branches/bleeding_edge/src/objects-inl.h
/branches/bleeding_edge/src/objects.h
/branches/bleeding_edge/src/runtime.cc
=======================================
--- /branches/bleeding_edge/src/hydrogen.cc Mon May 12 07:49:11 2014 UTC
+++ /branches/bleeding_edge/src/hydrogen.cc Mon May 12 15:30:00 2014 UTC
@@ -8889,10 +8889,20 @@
CHECK_ALIVE(VisitForValue(arguments->at(kObjectArg)));
HValue* obj = Pop();
- ASSERT(arguments->at(kArrayIdArg)->node_type() == AstNode::kLiteral);
+ if (arguments->at(kArrayIdArg)->node_type() != AstNode::kLiteral) {
+ // This should never happen in real use, but can happen when fuzzing.
+ // Just bail out.
+ Bailout(kNeedSmiLiteral);
+ return;
+ }
Handle<Object> value =
static_cast<Literal*>(arguments->at(kArrayIdArg))->value();
- ASSERT(value->IsSmi());
+ if (!value->IsSmi()) {
+ // This should never happen in real use, but can happen when fuzzing.
+ // Just bail out.
+ Bailout(kNeedSmiLiteral);
+ return;
+ }
int array_id = Smi::cast(*value)->value();
HValue* buffer;
=======================================
--- /branches/bleeding_edge/src/objects-inl.h Fri May 9 18:31:08 2014 UTC
+++ /branches/bleeding_edge/src/objects-inl.h Mon May 12 15:30:00 2014 UTC
@@ -5125,7 +5125,7 @@
void holder::set_##name(int value) { \
ASSERT(kHeapObjectTag == 1); \
ASSERT((value & 0xC0000000) == 0xC0000000 || \
- (value & 0xC0000000) == 0x000000000); \
+ (value & 0xC0000000) == 0x0); \
WRITE_INT_FIELD(this, \
offset, \
(value << 1) & ~kHeapObjectTag); \
=======================================
--- /branches/bleeding_edge/src/objects.h Fri May 9 18:31:08 2014 UTC
+++ /branches/bleeding_edge/src/objects.h Mon May 12 15:30:00 2014 UTC
@@ -1166,6 +1166,7 @@
V(kModuleVariable, "Module
variable") \
V(kModuleUrl, "Module
url") \
V(kNativeFunctionLiteral, "Native function
literal") \
+ V(kNeedSmiLiteral, "Need a Smi literal
here") \
V(kNoCasesLeft, "No cases
left") \
V(kNoEmptyArraysHereInEmitFastAsciiArrayJoin,
\
"No empty arrays here in
EmitFastAsciiArrayJoin") \
=======================================
--- /branches/bleeding_edge/src/runtime.cc Mon May 12 13:47:01 2014 UTC
+++ /branches/bleeding_edge/src/runtime.cc Mon May 12 15:30:00 2014 UTC
@@ -3030,6 +3030,8 @@
CONVERT_ARG_CHECKED(JSFunction, fun, 0);
CONVERT_SMI_ARG_CHECKED(length, 1);
+ RUNTIME_ASSERT((length & 0xC0000000) == 0xC0000000 ||
+ (length & 0xC0000000) == 0x0);
fun->shared()->set_length(length);
return isolate->heap()->undefined_value();
}
@@ -4882,6 +4884,7 @@
int f = FastD2IChecked(f_number);
// See DoubleToFixedCString for these constants:
RUNTIME_ASSERT(f >= 0 && f <= 20);
+ RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToFixedCString(value, f);
Handle<String> result =
isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
@@ -4897,6 +4900,7 @@
CONVERT_DOUBLE_ARG_CHECKED(f_number, 1);
int f = FastD2IChecked(f_number);
RUNTIME_ASSERT(f >= -1 && f <= 20);
+ RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToExponentialCString(value, f);
Handle<String> result =
isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
@@ -4912,6 +4916,7 @@
CONVERT_DOUBLE_ARG_CHECKED(f_number, 1);
int f = FastD2IChecked(f_number);
RUNTIME_ASSERT(f >= 1 && f <= 21);
+ RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToPrecisionCString(value, f);
Handle<String> result =
isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
