[typedarray] CHECKs, now with less overflow

Ensure that bound-checking CHECKs do not overflow and properly access the JSTypedArray's length value. This addresses remaining comments from https://crrev.com/c/788857/9/src/runtime/runtime-typedarray.cc#233 Bug: v8:3590 Change-Id: Ic06ff2ecd64a23ab9724c25d7b6cb689b9e7932b Reviewed-on: https://chromium-review.googlesource.com/796611 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#49719}
2017-11-29 15:12:46 +01:00 · 2017-11-29 15:12:46 +01:00 · 3cfc4b3afa
commit 3cfc4b3afa
parent 579d955355
2 changed files with 6 additions and 7 deletions
--- a/src/elements.cc
+++ b/src/elements.cc
@ -3210,8 +3210,7 @@ class TypedElementsAccessor
                                         JSTypedArray* destination,
                                         size_t length, uint32_t offset) {
    // The source is a typed array, so we know we don't need to do ToNumber
-    // side-effects, as the source elements will always be a number or
-    // undefined.
+    // side-effects, as the source elements will always be a number.
    DisallowHeapAllocation no_gc;

    FixedTypedArrayBase* source_elements =
@ -3219,10 +3218,10 @@ class TypedElementsAccessor
    BackingStore* destination_elements =
        BackingStore::cast(destination->elements());

-    DCHECK_LE(offset + source->length(), destination->length());
-    DCHECK_GE(destination->length(), source->length());
+    DCHECK_LE(offset, destination->length_value());
+    DCHECK_LE(source->length_value(), destination->length_value() - offset);
    DCHECK(source->length()->IsSmi());
-    DCHECK_EQ(Smi::FromInt(static_cast<int>(length)), source->length());
+    DCHECK_EQ(length, source->length_value());

    InstanceType source_type = source_elements->map()->instance_type();
    InstanceType destination_type =
--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@ -230,8 +230,8 @@ Object* TypedArraySetFromOverlapping(Isolate* isolate,
  size_t source_byte_length = NumberToSize(source->byte_length());
  size_t target_byte_length = NumberToSize(target->byte_length());

-  CHECK_LE(offset + source->length(), target->length());
-  CHECK_GE(target->length(), source->length());
+  CHECK_LE(offset, target->length_value());
+  CHECK_LE(source->length_value(), target->length_value() - offset);
  CHECK(source->length()->IsSmi());

  CHECK(!target->WasNeutered());