[builtin] Array.p.join throws on invalid Array lengths.

This matches the pre-torque behavior when the receiver's length was greater than the max array length. Bug: chromium:902672 Change-Id: Icf8ae3a1a4acc0680ce1b709f5b3372892337203 Reviewed-on: https://chromium-review.googlesource.com/c/1330921 Commit-Queue: Peter Wong <peter.wm.wong@gmail.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#57456}
2018-11-13 02:58:09 -06:00 · 2018-11-13 02:58:09 -06:00 · 0dd0af7baf
commit 0dd0af7baf
parent 9ef0160bd7
4 changed files with 22 additions and 0 deletions
--- a/src/builtins/array-join.tq
+++ b/src/builtins/array-join.tq
@ -495,6 +495,10 @@ module array {

    // 2. Let len be ? ToLength(? Get(O, "length")).
    const len: Number = GetLengthProperty(o);
+    // Only handle valid array lengths. Although the spec allows larger values,
+    // this matches historical V8 behavior.
+    if (len > kMaxArrayIndex + 1) ThrowTypeError(context, kInvalidArrayLength);
+
    // 3. If separator is undefined, let sep be the single-element String ",".
    // 4. Else, let sep be ? ToString(separator).
    let sep: String =
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@ -175,6 +175,8 @@ const kIteratorValueNotAnObject: constexpr MessageTemplate
 const kNotIterable: constexpr MessageTemplate
    generates 'MessageTemplate::kNotIterable';

+const kMaxArrayIndex:
+    constexpr uint32 generates 'JSArray::kMaxArrayIndex';
 const kMaxSafeInteger: constexpr float64 generates 'kMaxSafeInteger';
 const kStringMaxLength: constexpr int31 generates 'String::kMaxLength';
 const kFixedArrayMaxLength:
@ -402,6 +404,8 @@ extern operator '&' macro WordAnd(uintptr, uintptr): uintptr;
 extern operator '|' macro WordOr(uintptr, uintptr): uintptr;

 extern operator '+' macro Int32Add(int32, int32): int32;
+extern operator '+' macro ConstexprUint32Add(
+    constexpr uint32, constexpr int32): constexpr uint32;
 extern operator '-' macro Int32Sub(int32, int32): int32;
 extern operator '*' macro Int32Mul(int32, int32): int32;
 extern operator '%' macro Int32Mod(int32, int32): int32;
@ -573,6 +577,7 @@ extern macro ChangeNonnegativeNumberToUintPtr(Number): uintptr;

 extern macro NumberConstant(constexpr float64): Number;
 extern macro NumberConstant(constexpr int32): Number;
+extern macro NumberConstant(constexpr uint32): Number;
 extern macro IntPtrConstant(constexpr int31): intptr;
 extern macro IntPtrConstant(constexpr int32): intptr;
 extern macro Int32Constant(constexpr int31): int31;
@ -610,6 +615,10 @@ FromConstexpr<Number>(i: constexpr int31): Number {
 FromConstexpr<float64>(i: constexpr int31): float64 {
  return Float64Constant(i);
 }
+macro FromConstexpr<A: type>(o: constexpr uint32): A;
+FromConstexpr<Number>(i: constexpr uint32): Number {
+  return NumberConstant(i);
+}
 macro FromConstexpr<A: type>(o: constexpr int32): A;
 FromConstexpr<intptr>(i: constexpr int32): intptr {
  return IntPtrConstant(i);
--- a/src/code-stub-assembler.h
+++ b/src/code-stub-assembler.h
@ -3142,6 +3142,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
  bool ConstexprBoolNot(bool value) { return !value; }

  bool ConstexprInt31Equal(int31_t a, int31_t b) { return a == b; }
+  uint32_t ConstexprUint32Add(uint32_t a, uint32_t b) { return a + b; }

  void PerformStackCheck(TNode<Context> context);

--- a/test/mjsunit/regress/regress-crbug-902672.js
+++ b/test/mjsunit/regress/regress-crbug-902672.js
@ -0,0 +1,8 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = this;
+var b = {};
+a.length = 4294967296; // 2 ^ 32 (max array length + 1)
+assertThrows(() => Array.prototype.join.call(a,b), TypeError);