[runtime] Specifically handle robust RUNTIME_ASSERTs.
This changes the last few remaining RUNTIME_ASSERT calls that need to be intentionally robust because fuzzers or other callers can invoke the runtime functions in question with unsafe arguments. R=yangguo@chromium.org BUG=v8:5066 Review-Url: https://codereview.chromium.org/2122173003 Cr-Commit-Position: refs/heads/master@{#37576}
This commit is contained in:
parent
207fd4b9cd
commit
8acc97e2e1
@ -173,7 +173,7 @@ RUNTIME_FUNCTION(Runtime_GetLanguageTagVariants) {
|
|||||||
uint32_t length = static_cast<uint32_t>(input->length()->Number());
|
uint32_t length = static_cast<uint32_t>(input->length()->Number());
|
||||||
// Set some limit to prevent fuzz tests from going OOM.
|
// Set some limit to prevent fuzz tests from going OOM.
|
||||||
// Can be bumped when callers' requirements change.
|
// Can be bumped when callers' requirements change.
|
||||||
RUNTIME_ASSERT(length < 100);
|
if (length >= 100) return isolate->ThrowIllegalOperation();
|
||||||
Handle<FixedArray> output = factory->NewFixedArray(length);
|
Handle<FixedArray> output = factory->NewFixedArray(length);
|
||||||
Handle<Name> maximized = factory->NewStringFromStaticChars("maximized");
|
Handle<Name> maximized = factory->NewStringFromStaticChars("maximized");
|
||||||
Handle<Name> base = factory->NewStringFromStaticChars("base");
|
Handle<Name> base = factory->NewStringFromStaticChars("base");
|
||||||
@ -603,7 +603,7 @@ RUNTIME_FUNCTION(Runtime_StringNormalize) {
|
|||||||
|
|
||||||
CONVERT_ARG_HANDLE_CHECKED(String, s, 0);
|
CONVERT_ARG_HANDLE_CHECKED(String, s, 0);
|
||||||
CONVERT_NUMBER_CHECKED(int, form_id, Int32, args[1]);
|
CONVERT_NUMBER_CHECKED(int, form_id, Int32, args[1]);
|
||||||
RUNTIME_ASSERT(form_id >= 0 &&
|
CHECK(form_id >= 0 &&
|
||||||
static_cast<size_t>(form_id) < arraysize(normalizationForms));
|
static_cast<size_t>(form_id) < arraysize(normalizationForms));
|
||||||
|
|
||||||
int length = s->length();
|
int length = s->length();
|
||||||
@ -621,7 +621,7 @@ RUNTIME_FUNCTION(Runtime_StringNormalize) {
|
|||||||
icu::Normalizer2::getInstance(nullptr, normalizationForms[form_id].name,
|
icu::Normalizer2::getInstance(nullptr, normalizationForms[form_id].name,
|
||||||
normalizationForms[form_id].mode, status);
|
normalizationForms[form_id].mode, status);
|
||||||
DCHECK(U_SUCCESS(status));
|
DCHECK(U_SUCCESS(status));
|
||||||
RUNTIME_ASSERT(normalizer != nullptr);
|
CHECK(normalizer != nullptr);
|
||||||
int32_t normalized_prefix_length =
|
int32_t normalized_prefix_length =
|
||||||
normalizer->spanQuickCheckYes(input, status);
|
normalizer->spanQuickCheckYes(input, status);
|
||||||
// Quick return if the input is already normalized.
|
// Quick return if the input is already normalized.
|
||||||
|
@ -270,7 +270,7 @@ RUNTIME_FUNCTION(Runtime_OptimizeObjectForAddingMultipleProperties) {
|
|||||||
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
|
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
|
||||||
CONVERT_SMI_ARG_CHECKED(properties, 1);
|
CONVERT_SMI_ARG_CHECKED(properties, 1);
|
||||||
// Conservative upper limit to prevent fuzz tests from going OOM.
|
// Conservative upper limit to prevent fuzz tests from going OOM.
|
||||||
RUNTIME_ASSERT(properties <= 100000);
|
if (properties > 100000) return isolate->ThrowIllegalOperation();
|
||||||
if (object->HasFastProperties() && !object->IsJSGlobalProxy()) {
|
if (object->HasFastProperties() && !object->IsJSGlobalProxy()) {
|
||||||
JSObject::NormalizeProperties(object, KEEP_INOBJECT_PROPERTIES, properties,
|
JSObject::NormalizeProperties(object, KEEP_INOBJECT_PROPERTIES, properties,
|
||||||
"OptimizeForAdding");
|
"OptimizeForAdding");
|
||||||
|
@ -298,9 +298,11 @@ RUNTIME_FUNCTION(Runtime_SubString) {
|
|||||||
start = FastD2IChecked(from_number);
|
start = FastD2IChecked(from_number);
|
||||||
end = FastD2IChecked(to_number);
|
end = FastD2IChecked(to_number);
|
||||||
}
|
}
|
||||||
RUNTIME_ASSERT(end >= start);
|
// The following condition is intentionally robust because the SubStringStub
|
||||||
RUNTIME_ASSERT(start >= 0);
|
// delegates here and we test this in cctest/test-strings/RobustSubStringStub.
|
||||||
RUNTIME_ASSERT(end <= string->length());
|
if (end < start || start < 0 || end > string->length()) {
|
||||||
|
return isolate->ThrowIllegalOperation();
|
||||||
|
}
|
||||||
isolate->counters()->sub_string_runtime()->Increment();
|
isolate->counters()->sub_string_runtime()->Increment();
|
||||||
|
|
||||||
return *isolate->factory()->NewSubString(string, start, end);
|
return *isolate->factory()->NewSubString(string, start, end);
|
||||||
|
@ -102,7 +102,11 @@ RUNTIME_FUNCTION(Runtime_IsConcurrentRecompilationSupported) {
|
|||||||
|
|
||||||
RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
|
RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
|
||||||
HandleScope scope(isolate);
|
HandleScope scope(isolate);
|
||||||
RUNTIME_ASSERT(args.length() == 1 || args.length() == 2);
|
|
||||||
|
// This function is used by fuzzers, ignore calls with bogus arguments count.
|
||||||
|
if (args.length() != 1 && args.length() != 2) {
|
||||||
|
return isolate->heap()->undefined_value();
|
||||||
|
}
|
||||||
|
|
||||||
// This function is used by fuzzers to get coverage for optimizations
|
// This function is used by fuzzers to get coverage for optimizations
|
||||||
// in compiler. Ignore calls on non-function objects to avoid runtime errors.
|
// in compiler. Ignore calls on non-function objects to avoid runtime errors.
|
||||||
@ -113,11 +117,13 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
|
|||||||
}
|
}
|
||||||
Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
|
Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
|
||||||
|
|
||||||
// The following assertion was lifted from the DCHECK inside
|
// The following condition was lifted from the DCHECK inside
|
||||||
// JSFunction::MarkForOptimization().
|
// JSFunction::MarkForOptimization().
|
||||||
RUNTIME_ASSERT(function->shared()->allows_lazy_compilation() ||
|
if (!(function->shared()->allows_lazy_compilation() ||
|
||||||
(function->code()->kind() == Code::FUNCTION &&
|
(function->code()->kind() == Code::FUNCTION &&
|
||||||
!function->shared()->optimization_disabled()));
|
!function->shared()->optimization_disabled()))) {
|
||||||
|
return isolate->heap()->undefined_value();
|
||||||
|
}
|
||||||
|
|
||||||
// If the function is already optimized, just return.
|
// If the function is already optimized, just return.
|
||||||
if (function->IsOptimized()) return isolate->heap()->undefined_value();
|
if (function->IsOptimized()) return isolate->heap()->undefined_value();
|
||||||
@ -139,9 +145,13 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
|
|||||||
|
|
||||||
RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
|
RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
|
||||||
HandleScope scope(isolate);
|
HandleScope scope(isolate);
|
||||||
RUNTIME_ASSERT(args.length() == 0 || args.length() == 1);
|
|
||||||
Handle<JSFunction> function = Handle<JSFunction>::null();
|
|
||||||
|
|
||||||
|
// This function is used by fuzzers, ignore calls with bogus arguments count.
|
||||||
|
if (args.length() != 0 && args.length() == 1) {
|
||||||
|
return isolate->heap()->undefined_value();
|
||||||
|
}
|
||||||
|
|
||||||
|
Handle<JSFunction> function = Handle<JSFunction>::null();
|
||||||
if (args.length() == 0) {
|
if (args.length() == 0) {
|
||||||
// Find the JavaScript function on the top of the stack.
|
// Find the JavaScript function on the top of the stack.
|
||||||
JavaScriptFrameIterator it(isolate);
|
JavaScriptFrameIterator it(isolate);
|
||||||
@ -158,10 +168,12 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
|
|||||||
function = arg;
|
function = arg;
|
||||||
}
|
}
|
||||||
|
|
||||||
// The following assertion was lifted from the DCHECK inside
|
// The following condition was lifted from the DCHECK inside
|
||||||
// JSFunction::MarkForOptimization().
|
// JSFunction::MarkForOptimization().
|
||||||
RUNTIME_ASSERT(function->shared()->allows_lazy_compilation() ||
|
if (!(function->shared()->allows_lazy_compilation() ||
|
||||||
!function->shared()->optimization_disabled());
|
!function->shared()->optimization_disabled())) {
|
||||||
|
return isolate->heap()->undefined_value();
|
||||||
|
}
|
||||||
|
|
||||||
// If function is interpreted, just return. OSR is not supported.
|
// If function is interpreted, just return. OSR is not supported.
|
||||||
// TODO(4764): Remove this check when OSR is enabled in the interpreter.
|
// TODO(4764): Remove this check when OSR is enabled in the interpreter.
|
||||||
@ -196,7 +208,7 @@ RUNTIME_FUNCTION(Runtime_NeverOptimizeFunction) {
|
|||||||
|
|
||||||
RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
|
RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
|
||||||
HandleScope scope(isolate);
|
HandleScope scope(isolate);
|
||||||
RUNTIME_ASSERT(args.length() == 1 || args.length() == 2);
|
DCHECK(args.length() == 1 || args.length() == 2);
|
||||||
if (!isolate->use_crankshaft()) {
|
if (!isolate->use_crankshaft()) {
|
||||||
return Smi::FromInt(4); // 4 == "never".
|
return Smi::FromInt(4); // 4 == "never".
|
||||||
}
|
}
|
||||||
@ -233,9 +245,10 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
|
|||||||
|
|
||||||
RUNTIME_FUNCTION(Runtime_UnblockConcurrentRecompilation) {
|
RUNTIME_FUNCTION(Runtime_UnblockConcurrentRecompilation) {
|
||||||
DCHECK(args.length() == 0);
|
DCHECK(args.length() == 0);
|
||||||
RUNTIME_ASSERT(FLAG_block_concurrent_recompilation);
|
if (FLAG_block_concurrent_recompilation &&
|
||||||
RUNTIME_ASSERT(isolate->concurrent_recompilation_enabled());
|
isolate->concurrent_recompilation_enabled()) {
|
||||||
isolate->optimizing_compile_dispatcher()->Unblock();
|
isolate->optimizing_compile_dispatcher()->Unblock();
|
||||||
|
}
|
||||||
return isolate->heap()->undefined_value();
|
return isolate->heap()->undefined_value();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user