[v8-dev] Harden builtins BuildResultFromMatchInfo and URIDecodeOctets (issue 286203010)

[jkummerow]

Reviewers: Yang,

Message:
PTAL.
Description:
Harden builtins BuildResultFromMatchInfo and URIDecodeOctets

Please review this at https://codereview.chromium.org/286203010/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+32, -19 lines):
  M src/hydrogen.cc
  M src/regexp.js
  M src/uri.js
  M tools/generate-runtime-tests.py


Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
7c8c0560664056249ddfce0ef1cbd918b8de8fbe..9c782f2967bc143464ea2760a1ae9897cd1da296  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -1535,12 +1535,14 @@ HValue*  
HGraphBuilder::BuildRegExpConstructResult(HValue* length,

   // Compute the size of the RegExpResult followed by FixedArray with  
length.
   HValue* size = length;
-  size = AddUncasted<HShl>(size, Add<HConstant>(kPointerSizeLog2));
-  size = AddUncasted<HAdd>(size, Add<HConstant>(static_cast<int32_t>(
-              JSRegExpResult::kSize + FixedArray::kHeaderSize)));
+  // Make sure size does not exceed max regular heap object size.
+  const int kHeaderSize = JSRegExpResult::kSize + FixedArray::kHeaderSize;
+  const int kMaxLength =
+      (Page::kMaxRegularHeapObjectSize - kHeaderSize) >> kPointerSizeLog2;
+  Add<HBoundsCheck>(size, Add<HConstant>(kMaxLength));

-  // Make sure size does not exceeds max regular heap object size.
-  Add<HBoundsCheck>(size, Add<HConstant>(Page::kMaxRegularHeapObjectSize));
+  size = AddUncasted<HShl>(size, Add<HConstant>(kPointerSizeLog2));
+  size = AddUncasted<HAdd>(size, Add<HConstant>(kHeaderSize));

   // Allocate the JSRegExpResult and the FixedArray in one step.
   HValue* result = Add<HAllocate>(
Index: src/regexp.js
diff --git a/src/regexp.js b/src/regexp.js
index  
d58ca2634bd03f313e1326ca2c5b5542dbb00139..b668cf8b78b154a98fb1383ca8d02be271de8530  
100644
--- a/src/regexp.js
+++ b/src/regexp.js
@@ -108,23 +108,25 @@ function DoRegExpExec(regexp, string, index) {
 }


-function BuildResultFromMatchInfo(lastMatchInfo, s) {
-  var numResults = NUMBER_OF_CAPTURES(lastMatchInfo) >> 1;
-  var start = lastMatchInfo[CAPTURE0];
-  var end = lastMatchInfo[CAPTURE1];
-  var result = %_RegExpConstructResult(numResults, start, s);
-  result[0] = %_SubString(s, start, end);
+// This is kind of performance sensitive, so we want to avoid unnecessary
+// type checks on inputs. But we also don't want to inline it several times
+// manually, so we use a macro :-)
+macro BuildResultFromMatchInfo(MATCHINFO, STRING)
+  var numResults = NUMBER_OF_CAPTURES(MATCHINFO) >> 1;
+  var start = MATCHINFO[CAPTURE0];
+  var end = MATCHINFO[CAPTURE1];
+  var result = %_RegExpConstructResult(numResults, start, STRING);
+  result[0] = %_SubString(STRING, start, end);
   var j = REGEXP_FIRST_CAPTURE + 2;
   for (var i = 1; i < numResults; i++) {
-    start = lastMatchInfo[j++];
+    start = MATCHINFO[j++];
     if (start != -1) {
-      end = lastMatchInfo[j];
-      result[i] = %_SubString(s, start, end);
+      end = MATCHINFO[j];
+      result[i] = %_SubString(STRING, start, end);
     }
     j++;
   }
-  return result;
-}
+endmacro


 function RegExpExecNoTests(regexp, string, start) {
@@ -132,7 +134,8 @@ function RegExpExecNoTests(regexp, string, start) {
   var matchInfo = %_RegExpExec(regexp, string, start, lastMatchInfo);
   if (matchInfo !== null) {
     lastMatchInfoOverride = null;
-    return BuildResultFromMatchInfo(matchInfo, string);
+    BuildResultFromMatchInfo(matchInfo, string);
+    return result;
   }
   regexp.lastIndex = 0;
   return null;
@@ -175,7 +178,8 @@ function RegExpExec(string) {
   if (global) {
     this.lastIndex = lastMatchInfo[CAPTURE1];
   }
-  return BuildResultFromMatchInfo(matchIndices, string);
+  BuildResultFromMatchInfo(matchIndices, string);
+  return result;
 }


Index: src/uri.js
diff --git a/src/uri.js b/src/uri.js
index  
3cc1fe4755816ba93293ed241d5e5d90e217ec90..fb9742fa873d30ebccc7dae2560bdb89cc434ef8  
100644
--- a/src/uri.js
+++ b/src/uri.js
@@ -84,6 +84,7 @@ function URIHexCharsToCharCode(highChar, lowChar) {


 function URIDecodeOctets(octets, result, index) {
+  if (!IS_STRING(result)) throw new $URIError("Internal error");
   var value;
   var o0 = octets[0];
   if (o0 < 0x80) {
@@ -148,9 +149,15 @@ function URIDecodeOctets(octets, result, index) {
     throw new $URIError("URI malformed");
   }
   if (value < 0x10000) {
+    if (index < 0 || index >= result.length) {
+      throw new $URIError("Internal error");
+    }
     %_TwoByteSeqStringSetChar(result, index++, value);
     return index;
   } else {
+    if (index < 0 || index >= result.length - 1) {
+      throw new $URIError("Internal error");
+    }
     %_TwoByteSeqStringSetChar(result, index++, (value >> 10) + 0xd7c0);
     %_TwoByteSeqStringSetChar(result, index++, (value & 0x3ff) + 0xdc00);
     return index;
Index: tools/generate-runtime-tests.py
diff --git a/tools/generate-runtime-tests.py  
b/tools/generate-runtime-tests.py
index  
429271a1d193ed0453692f88309a93546c51adf4..487b7973e7954ad42a3bf9e49dd18f0a54e83265  
100755
--- a/tools/generate-runtime-tests.py
+++ b/tools/generate-runtime-tests.py
@@ -51,7 +51,7 @@ EXPECTED_FUNCTION_COUNT = 362
 EXPECTED_FUZZABLE_COUNT = 329
 EXPECTED_CCTEST_COUNT = 6
 EXPECTED_UNKNOWN_COUNT = 5
-EXPECTED_BUILTINS_COUNT = 827
+EXPECTED_BUILTINS_COUNT = 826


 # Don't call these at all.


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.