From 3cfc4b3afabb2b403cc4c642df7b68648c0f37ec Mon Sep 17 00:00:00 2001
From: jgruber <jgruber@chromium.org>
Date: Wed, 29 Nov 2017 15:12:46 +0100
Subject: [PATCH] [typedarray] CHECKs, now with less overflow

Ensure that bound-checking CHECKs do not overflow and properly access
the JSTypedArray's length value.

This addresses remaining comments from
https://crrev.com/c/788857/9/src/runtime/runtime-typedarray.cc#233

Bug: v8:3590
Change-Id: Ic06ff2ecd64a23ab9724c25d7b6cb689b9e7932b
Reviewed-on: https://chromium-review.googlesource.com/796611
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49719}
---
 src/elements.cc                   | 9 ++++-----
 src/runtime/runtime-typedarray.cc | 4 ++--
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/elements.cc b/src/elements.cc
index 164b5307dc..22bf8012dd 100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -3210,8 +3210,7 @@ class TypedElementsAccessor
                                          JSTypedArray* destination,
                                          size_t length, uint32_t offset) {
     // The source is a typed array, so we know we don't need to do ToNumber
-    // side-effects, as the source elements will always be a number or
-    // undefined.
+    // side-effects, as the source elements will always be a number.
     DisallowHeapAllocation no_gc;
 
     FixedTypedArrayBase* source_elements =
@@ -3219,10 +3218,10 @@ class TypedElementsAccessor
     BackingStore* destination_elements =
         BackingStore::cast(destination->elements());
 
-    DCHECK_LE(offset + source->length(), destination->length());
-    DCHECK_GE(destination->length(), source->length());
+    DCHECK_LE(offset, destination->length_value());
+    DCHECK_LE(source->length_value(), destination->length_value() - offset);
     DCHECK(source->length()->IsSmi());
-    DCHECK_EQ(Smi::FromInt(static_cast<int>(length)), source->length());
+    DCHECK_EQ(length, source->length_value());
 
     InstanceType source_type = source_elements->map()->instance_type();
     InstanceType destination_type =
diff --git a/src/runtime/runtime-typedarray.cc b/src/runtime/runtime-typedarray.cc
index 2f34a213cf..5820c4b6a4 100644
--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@@ -230,8 +230,8 @@ Object* TypedArraySetFromOverlapping(Isolate* isolate,
   size_t source_byte_length = NumberToSize(source->byte_length());
   size_t target_byte_length = NumberToSize(target->byte_length());
 
-  CHECK_LE(offset + source->length(), target->length());
-  CHECK_GE(target->length(), source->length());
+  CHECK_LE(offset, target->length_value());
+  CHECK_LE(source->length_value(), target->length_value() - offset);
   CHECK(source->length()->IsSmi());
 
   CHECK(!target->WasNeutered());