AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[keys] Handle RangeError in GetKeysWithPrototypeInfoCache

Browse Source 
Drive-by-fix: Add V8_WARN_UNUSED_RESULT to MaybeHandle::ToHandle

Bug: chromium:1057653
Change-Id: I2834806ca498a2fa43a64f5391606cdbfb4af4fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2084814
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66582}
This commit is contained in:
Camillo Bruni 2020-03-03 18:02:42 +01:00 committed by Commit Bot
parent 3a86dca147
commit 22afaacd47
6 changed files with 33 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/handles/maybe-handles.h
View File

@ -50,7 +50,7 @@ class MaybeHandle final {
// Convert to a Handle with a type that can be upcasted to.
template <typename S>
V8_INLINE bool ToHandle(Handle<S>* out) const {
V8_WARN_UNUSED_RESULT V8_INLINE bool ToHandle(Handle<S>* out) const {
if (location_ == nullptr) {
*out = Handle<T>::null();
return false;

14
src/objects/keys.cc
View File

@ -572,15 +572,17 @@ MaybeHandle<FixedArray> FastKeyAccumulator::GetKeysWithPrototypeInfoCache(
GetKeysConversion keys_conversion) {
Handle<FixedArray> own_keys;
if (may_have_elements_) {
MaybeHandle<FixedArray> maybe_own_keys;
if (receiver_->map().is_dictionary_map()) {
GetOwnKeysWithElements<false>(isolate_, Handle<JSObject>::cast(receiver_),
keys_conversion, skip_indices_)
.ToHandle(&own_keys);
maybe_own_keys = GetOwnKeysWithElements<false>(
isolate_, Handle<JSObject>::cast(receiver_), keys_conversion,
skip_indices_);
} else {
GetOwnKeysWithElements<true>(isolate_, Handle<JSObject>::cast(receiver_),
keys_conversion, skip_indices_)
.ToHandle(&own_keys);
maybe_own_keys = GetOwnKeysWithElements<true>(
isolate_, Handle<JSObject>::cast(receiver_), keys_conversion,
skip_indices_);
}
ASSIGN_RETURN_ON_EXCEPTION(isolate_, own_keys, maybe_own_keys, FixedArray);
} else {
own_keys = KeyAccumulator::GetOwnEnumPropertyKeys(
isolate_, Handle<JSObject>::cast(receiver_));

17
src/objects/objects.cc
View File

@ -6092,17 +6092,18 @@ Handle<Object> JSPromise::TriggerPromiseReactions(Isolate* isolate,
secondary_handler = handle(reaction->fulfill_handler(), isolate);
}
bool has_handler_context = false;
if (primary_handler->IsJSReceiver()) {
JSReceiver::GetContextForMicrotask(
Handle<JSReceiver>::cast(primary_handler))
.ToHandle(&handler_context);
has_handler_context = JSReceiver::GetContextForMicrotask(
Handle<JSReceiver>::cast(primary_handler))
.ToHandle(&handler_context);
}
if (handler_context.is_null() && secondary_handler->IsJSReceiver()) {
JSReceiver::GetContextForMicrotask(
Handle<JSReceiver>::cast(secondary_handler))
.ToHandle(&handler_context);
if (!has_handler_context && secondary_handler->IsJSReceiver()) {
has_handler_context = JSReceiver::GetContextForMicrotask(
Handle<JSReceiver>::cast(secondary_handler))
.ToHandle(&handler_context);
}
if (handler_context.is_null()) handler_context = isolate->native_context();
if (!has_handler_context) handler_context = isolate->native_context();
STATIC_ASSERT(
static_cast<int>(PromiseReaction::kSize) ==

12
test/cctest/compiler/test-run-jsobjects.cc
View File

@ -14,8 +14,8 @@ namespace compiler {
TEST(ArgumentsMapped) {
FunctionTester T("(function(a) { return arguments; })");
Handle<Object> arguments;
T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandle(&arguments);
Handle<Object> arguments =
T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandleChecked();
CHECK(arguments->IsJSObject() && !arguments->IsJSArray());
CHECK(JSObject::cast(*arguments).HasSloppyArgumentsElements());
Handle<String> l = T.isolate->factory()->length_string();
@ -28,8 +28,8 @@ TEST(ArgumentsMapped) {
TEST(ArgumentsUnmapped) {
FunctionTester T("(function(a) { 'use strict'; return arguments; })");
Handle<Object> arguments;
T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandle(&arguments);
Handle<Object> arguments =
T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandleChecked();
CHECK(arguments->IsJSObject() && !arguments->IsJSArray());
CHECK(!JSObject::cast(*arguments).HasSloppyArgumentsElements());
Handle<String> l = T.isolate->factory()->length_string();
@ -42,8 +42,8 @@ TEST(ArgumentsUnmapped) {
TEST(ArgumentsRest) {
FunctionTester T("(function(a, ...args) { return args; })");
Handle<Object> arguments;
T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandle(&arguments);
Handle<Object> arguments =
T.Call(T.Val(19), T.Val(23), T.Val(42), T.Val(65)).ToHandleChecked();
CHECK(arguments->IsJSObject() && arguments->IsJSArray());
CHECK(!JSObject::cast(*arguments).HasSloppyArgumentsElements());
Handle<String> l = T.isolate->factory()->length_string();

3
test/cctest/heap/test-heap.cc
View File

@ -5709,8 +5709,7 @@ TEST(Regress631969) {
// Allocate a cons string and promote it to a fresh page in the old space.
heap::SimulateFullSpace(heap->old_space());
Handle<String> s3;
factory->NewConsString(s1, s2).ToHandle(&s3);
Handle<String> s3 = factory->NewConsString(s1, s2).ToHandleChecked();
CcTest::CollectGarbage(NEW_SPACE);
CcTest::CollectGarbage(NEW_SPACE);

8
test/mjsunit/regress/regress-crbug-1057653.js Normal file
View File

@ -0,0 +1,8 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Object.prototype.length = 3642395160;
const array = new Float32Array(2**28);
assertThrows(() => {for (const key in array) {}}, RangeError);