AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Always check copy_size before getting accessor and trying to copy.

Browse Source 
Review URL: https://chromiumcodereview.appspot.com/11348071

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13001 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
verwaest@chromium.org 2012-11-19 15:31:38 +00:00
parent 08cfda49f2
commit 397f5291ae
1 changed files with 48 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
src/builtins.cc
View File

@ -574,11 +574,13 @@ BUILTIN(ArrayPush) {
MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity); MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity);
if (!maybe_obj->To(&new_elms)) return maybe_obj; if (!maybe_obj->To(&new_elms)) return maybe_obj;
ElementsAccessor* accessor = array->GetElementsAccessor(); if (len > 0) {
MaybeObject* maybe_failure = ElementsAccessor* accessor = array->GetElementsAccessor();
accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj); MaybeObject* maybe_failure =
ASSERT(!maybe_failure->IsFailure()); accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj);
USE(maybe_failure); ASSERT(!maybe_failure->IsFailure());
USE(maybe_failure);
}
FillWithHoles(heap, new_elms, new_length, capacity); FillWithHoles(heap, new_elms, new_length, capacity);
elms = new_elms; elms = new_elms;
@ -621,11 +623,13 @@ BUILTIN(ArrayPush) {
heap->AllocateUninitializedFixedDoubleArray(capacity); heap->AllocateUninitializedFixedDoubleArray(capacity);
if (!maybe_obj->To(&new_elms)) return maybe_obj; if (!maybe_obj->To(&new_elms)) return maybe_obj;
ElementsAccessor* accessor = array->GetElementsAccessor(); if (len > 0) {
MaybeObject* maybe_failure = ElementsAccessor* accessor = array->GetElementsAccessor();
accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj); MaybeObject* maybe_failure =
ASSERT(!maybe_failure->IsFailure()); accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj);
USE(maybe_failure); ASSERT(!maybe_failure->IsFailure());
USE(maybe_failure);
}
FillWithHoles(new_elms, len + to_add, new_elms->length()); FillWithHoles(new_elms, len + to_add, new_elms->length());
} else { } else {
@ -783,12 +787,14 @@ BUILTIN(ArrayUnshift) {
MaybeObject* maybe_elms = heap->AllocateUninitializedFixedArray(capacity); MaybeObject* maybe_elms = heap->AllocateUninitializedFixedArray(capacity);
if (!maybe_elms->To(&new_elms)) return maybe_elms; if (!maybe_elms->To(&new_elms)) return maybe_elms;
ElementsKind kind = array->GetElementsKind(); if (len > 0) {
ElementsAccessor* accessor = array->GetElementsAccessor(); ElementsKind kind = array->GetElementsKind();
MaybeObject* maybe_failure = ElementsAccessor* accessor = array->GetElementsAccessor();
accessor->CopyElements(array, 0, new_elms, kind, to_add, len, elms); MaybeObject* maybe_failure =
ASSERT(!maybe_failure->IsFailure()); accessor->CopyElements(array, 0, new_elms, kind, to_add, len, elms);
USE(maybe_failure); ASSERT(!maybe_failure->IsFailure());
USE(maybe_failure);
}
FillWithHoles(heap, new_elms, new_length, capacity); FillWithHoles(heap, new_elms, new_length, capacity);
elms = new_elms; elms = new_elms;
@ -929,6 +935,8 @@ BUILTIN(ArraySlice) {
MaybeObject* maybe_array = heap->AllocateJSArrayAndStorage(kind, MaybeObject* maybe_array = heap->AllocateJSArrayAndStorage(kind,
result_len, result_len,
result_len); result_len);
if (result_len == 0) return maybe_array;
if (!maybe_array->To(&result_array)) return maybe_array; if (!maybe_array->To(&result_array)) return maybe_array;
ElementsAccessor* accessor = object->GetElementsAccessor(); ElementsAccessor* accessor = object->GetElementsAccessor();
@ -1095,19 +1103,23 @@ BUILTIN(ArraySplice) {
MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity); MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity);
if (!maybe_obj->To(&new_elms)) return maybe_obj; if (!maybe_obj->To(&new_elms)) return maybe_obj;
// Copy the part before actual_start as is.
ElementsKind kind = array->GetElementsKind(); ElementsKind kind = array->GetElementsKind();
ElementsAccessor* accessor = array->GetElementsAccessor(); ElementsAccessor* accessor = array->GetElementsAccessor();
MaybeObject* maybe_failure = accessor->CopyElements( if (actual_start > 0) {
array, 0, new_elms, kind, 0, actual_start, elms); // Copy the part before actual_start as is.
ASSERT(!maybe_failure->IsFailure()); MaybeObject* maybe_failure = accessor->CopyElements(
USE(maybe_failure); array, 0, new_elms, kind, 0, actual_start, elms);
ASSERT(!maybe_failure->IsFailure());
USE(maybe_failure);
}
const int to_copy = len - actual_delete_count - actual_start; const int to_copy = len - actual_delete_count - actual_start;
maybe_failure = accessor->CopyElements( if (to_copy > 0) {
array, actual_start + actual_delete_count, new_elms, kind, MaybeObject* maybe_failure = accessor->CopyElements(
actual_start + item_count, to_copy, elms); array, actual_start + actual_delete_count, new_elms, kind,
ASSERT(!maybe_failure->IsFailure()); actual_start + item_count, to_copy, elms);
USE(maybe_failure); ASSERT(!maybe_failure->IsFailure());
USE(maybe_failure);
}
FillWithHoles(heap, new_elms, new_length, capacity); FillWithHoles(heap, new_elms, new_length, capacity);
@ -1186,14 +1198,9 @@ BUILTIN(ArrayConcat) {
} }
ElementsKind arg_kind = JSArray::cast(arg)->map()->elements_kind(); ElementsKind arg_kind = JSArray::cast(arg)->map()->elements_kind();
ElementsKind packed_kind = GetPackedElementsKind(arg_kind); if (IsMoreGeneralElementsKindTransition(elements_kind, arg_kind)) {
if (IsMoreGeneralElementsKindTransition( elements_kind = IsFastHoleyElementsKind(elements_kind)
GetPackedElementsKind(elements_kind), packed_kind)) { ? GetHoleyElementsKind(arg_kind) : arg_kind;
if (IsFastHoleyElementsKind(elements_kind)) {
elements_kind = GetHoleyElementsKind(arg_kind);
} else {
elements_kind = arg_kind;
}
} }
} }
@ -1210,12 +1217,14 @@ BUILTIN(ArrayConcat) {
FixedArrayBase* storage = result_array->elements(); FixedArrayBase* storage = result_array->elements();
for (int i = 0; i < n_arguments; i++) { for (int i = 0; i < n_arguments; i++) {
JSArray* array = JSArray::cast(args[i]); JSArray* array = JSArray::cast(args[i]);
ElementsAccessor* accessor = array->GetElementsAccessor();
int len = Smi::cast(array->length())->value(); int len = Smi::cast(array->length())->value();
MaybeObject* maybe_failure = if (len > 0) {
accessor->CopyElements(array, 0, storage, elements_kind, j, len); ElementsAccessor* accessor = array->GetElementsAccessor();
if (maybe_failure->IsFailure()) return maybe_failure; MaybeObject* maybe_failure =
j += len; accessor->CopyElements(array, 0, storage, elements_kind, j, len);
if (maybe_failure->IsFailure()) return maybe_failure;
j += len;
}
} }
ASSERT(j == result_len); ASSERT(j == result_len);