[torque] check FixedArray length

Bug: chromium:1086890 Change-Id: I8345f209d8f4e40a57df166664f403a6cf6c6652 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2222346 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Auto-Submit: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#68085}
2020-05-30 16:06:59 +02:00 · 2020-05-30 16:06:59 +02:00 · 85bc1b0cab
commit 85bc1b0cab
parent 82c3aa45ce
8 changed files with 29 additions and 5 deletions
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@ -354,6 +354,8 @@ const kStringMaxLengthUintptr:
    constexpr uintptr generates 'String::kMaxLength';
 const kFixedArrayMaxLength:
    constexpr int31 generates 'FixedArray::kMaxLength';
+const kFixedDoubleArrayMaxLength:
+    constexpr int31 generates 'FixedDoubleArray::kMaxLength';
 const kObjectAlignmentMask: constexpr intptr
    generates 'kObjectAlignmentMask';
 const kMinAddedElementsCapacity:
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@ -205,7 +205,7 @@ TNode<Smi> CodeStubAssembler::SelectSmiConstant(SloppyTNode<BoolT> condition,
                             SmiConstant(false_value));
 }

-TNode<Object> CodeStubAssembler::NoContextConstant() {
+TNode<Smi> CodeStubAssembler::NoContextConstant() {
  return SmiConstant(Context::kNoContext);
 }

--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@ -616,7 +616,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
    return Word32BinaryNot(TaggedEqual(a, b));
  }

-  TNode<Object> NoContextConstant();
+  TNode<Smi> NoContextConstant();

 #define HEAP_CONSTANT_ACCESSOR(rootIndexName, rootAccessorName, name)  \
  TNode<std::remove_pointer<std::remove_reference<decltype(            \
--- a/src/objects/contexts.tq
+++ b/src/objects/contexts.tq
@ -74,3 +74,9 @@ extern operator '[]=' macro StoreContextElement(

 extern operator '[]' macro LoadContextElement(Context, intptr): Object;
 extern operator '[]' macro LoadContextElement(Context, Smi): Object;
+
+// A dummy used instead of a context constant for runtime calls that don't need
+// a context.
+type NoContext extends Smi;
+extern macro NoContextConstant(): NoContext;
+const kNoContext: NoContext = NoContextConstant();
--- a/src/objects/fixed-array.tq
+++ b/src/objects/fixed-array.tq
@ -141,8 +141,15 @@ macro ExtractFixedDoubleArray(
          ConstantIterator(kDoubleHole)));
 }

+namespace runtime {
+extern runtime FatalProcessOutOfMemoryInvalidArrayLength(NoContext): never;
+}
+
 macro NewFixedArray<Iterator: type>(length: intptr, it: Iterator): FixedArray {
  if (length == 0) return kEmptyFixedArray;
+  if (length > kFixedArrayMaxLength) deferred {
+      runtime::FatalProcessOutOfMemoryInvalidArrayLength(kNoContext);
+    }
  return new
  FixedArray{map: kFixedArrayMap, length: Convert<Smi>(length), objects: ...it};
 }
@ -150,6 +157,9 @@ macro NewFixedArray<Iterator: type>(length: intptr, it: Iterator): FixedArray {
 macro NewFixedDoubleArray<Iterator: type>(
    length: intptr, it: Iterator): FixedDoubleArray|EmptyFixedArray {
  if (length == 0) return kEmptyFixedArray;
+  if (length > kFixedDoubleArrayMaxLength) deferred {
+      runtime::FatalProcessOutOfMemoryInvalidArrayLength(kNoContext);
+    }
  return new FixedDoubleArray{
    map: kFixedDoubleArrayMap,
    length: Convert<Smi>(length),
--- a/src/torque/constants.h
+++ b/src/torque/constants.h
@ -24,6 +24,7 @@ static const char* const BOOL_TYPE_STRING = "bool";
 static const char* const VOID_TYPE_STRING = "void";
 static const char* const ARGUMENTS_TYPE_STRING = "Arguments";
 static const char* const CONTEXT_TYPE_STRING = "Context";
+static const char* const NO_CONTEXT_TYPE_STRING = "NoContext";
 static const char* const NATIVE_CONTEXT_TYPE_STRING = "NativeContext";
 static const char* const JS_FUNCTION_TYPE_STRING = "JSFunction";
 static const char* const MAP_TYPE_STRING = "Map";
--- a/src/torque/declaration-visitor.cc
+++ b/src/torque/declaration-visitor.cc
@ -126,11 +126,12 @@ void DeclarationVisitor::Visit(ExternalRuntimeDeclaration* decl) {
        "Missing parameters for runtime function, at least the context "
        "parameter is required.");
  }
-  if (!(signature.parameter_types.types[0] == TypeOracle::GetContextType())) {
+  if (!(signature.parameter_types.types[0] == TypeOracle::GetContextType() ||
+        signature.parameter_types.types[0] == TypeOracle::GetNoContextType())) {
    ReportError(
        "first parameter to runtime functions has to be the context and have "
-        "type Context, but found type ",
-        signature.parameter_types.types[0]);
+        "type Context or NoContext, but found type ",
+        *signature.parameter_types.types[0]);
  }
  if (!(signature.return_type->IsSubtypeOf(TypeOracle::GetObjectType()) ||
        signature.return_type == TypeOracle::GetVoidType() ||
--- a/src/torque/type-oracle.h
+++ b/src/torque/type-oracle.h
@ -304,6 +304,10 @@ class TypeOracle : public ContextualClass<TypeOracle> {
    return Get().GetBuiltinType(CONTEXT_TYPE_STRING);
  }

+  static const Type* GetNoContextType() {
+    return Get().GetBuiltinType(NO_CONTEXT_TYPE_STRING);
+  }
+
  static const Type* GetNativeContextType() {
    return Get().GetBuiltinType(NATIVE_CONTEXT_TYPE_STRING);
  }