AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[runtime] Check capacity according to elements kind

Browse Source 
... in Runtime_GrowArrayElements.

Runtime_GrowArrayElements is only used when the elements kind
is fast. And we could check the requested capacity according
to the elements kind and throw error early.

Bug: v8:13285
Change-Id: I68f59bc68995d622aac23be3e8daf05ac5fd5652
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905062
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83350}
This commit is contained in:
jameslahm 2022-09-19 23:28:52 +08:00 committed by V8 LUCI CQ
parent d185bacc94
commit 13f06689bf
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/runtime/runtime-array.cc
View File

@ -155,13 +155,18 @@ RUNTIME_FUNCTION(Runtime_NormalizeElements) {
return *array;
}
// GrowArrayElements returns a sentinel Smi if the object was normalized or if
// the key is negative.
// GrowArrayElements grows fast kind elements and returns a sentinel Smi if the
// object was normalized or if the key is negative.
RUNTIME_FUNCTION(Runtime_GrowArrayElements) {
HandleScope scope(isolate);
DCHECK_EQ(2, args.length());
Handle<JSObject> object = args.at<JSObject>(0);
Handle<Object> key = args.at(1);
ElementsKind kind = object->GetElementsKind();
CHECK(IsFastElementsKind(kind));
const intptr_t kMaxLength = IsDoubleElementsKind(kind)
? FixedDoubleArray::kMaxLength
: FixedArray::kMaxLength;
uint32_t index;
if (key->IsSmi()) {
int value = Smi::ToInt(*key);
@ -170,7 +175,7 @@ RUNTIME_FUNCTION(Runtime_GrowArrayElements) {
} else {
CHECK(key->IsHeapNumber());
double value = HeapNumber::cast(*key).value();
if (value < 0 || value > std::numeric_limits<uint32_t>::max()) {
if (value < 0 || value > kMaxLength) {
return Smi::zero();
}
index = static_cast<uint32_t>(value);