[typedarray] CHECKs, now with less overflow

Ensure that bound-checking CHECKs do not overflow and properly access
the JSTypedArray's length value.

This addresses remaining comments from
https://crrev.com/c/788857/9/src/runtime/runtime-typedarray.cc#233

Bug: v8:3590
Change-Id: Ic06ff2ecd64a23ab9724c25d7b6cb689b9e7932b
Reviewed-on: https://chromium-review.googlesource.com/796611
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49719}
This commit is contained in:
jgruber 2017-11-29 15:12:46 +01:00 committed by Commit Bot
parent 579d955355
commit 3cfc4b3afa
2 changed files with 6 additions and 7 deletions

View File

@ -3210,8 +3210,7 @@ class TypedElementsAccessor
JSTypedArray* destination,
size_t length, uint32_t offset) {
// The source is a typed array, so we know we don't need to do ToNumber
// side-effects, as the source elements will always be a number or
// undefined.
// side-effects, as the source elements will always be a number.
DisallowHeapAllocation no_gc;
FixedTypedArrayBase* source_elements =
@ -3219,10 +3218,10 @@ class TypedElementsAccessor
BackingStore* destination_elements =
BackingStore::cast(destination->elements());
DCHECK_LE(offset + source->length(), destination->length());
DCHECK_GE(destination->length(), source->length());
DCHECK_LE(offset, destination->length_value());
DCHECK_LE(source->length_value(), destination->length_value() - offset);
DCHECK(source->length()->IsSmi());
DCHECK_EQ(Smi::FromInt(static_cast<int>(length)), source->length());
DCHECK_EQ(length, source->length_value());
InstanceType source_type = source_elements->map()->instance_type();
InstanceType destination_type =

View File

@ -230,8 +230,8 @@ Object* TypedArraySetFromOverlapping(Isolate* isolate,
size_t source_byte_length = NumberToSize(source->byte_length());
size_t target_byte_length = NumberToSize(target->byte_length());
CHECK_LE(offset + source->length(), target->length());
CHECK_GE(target->length(), source->length());
CHECK_LE(offset, target->length_value());
CHECK_LE(source->length_value(), target->length_value() - offset);
CHECK(source->length()->IsSmi());
CHECK(!target->WasNeutered());