[runtime] Specifically handle robust RUNTIME_ASSERTs.

This changes the last few remaining RUNTIME_ASSERT calls that need to be intentionally robust because fuzzers or other callers can invoke the runtime functions in question with unsafe arguments. R=yangguo@chromium.org BUG=v8:5066 Review-Url: https://codereview.chromium.org/2122173003 Cr-Commit-Position: refs/heads/master@{#37576}
2016-07-07 02:38:20 -07:00 · 2016-07-07 02:38:20 -07:00 · 8acc97e2e1
commit 8acc97e2e1
parent 207fd4b9cd
4 changed files with 37 additions and 22 deletions
--- a/src/runtime/runtime-i18n.cc
+++ b/src/runtime/runtime-i18n.cc
@ -173,7 +173,7 @@ RUNTIME_FUNCTION(Runtime_GetLanguageTagVariants) {
  uint32_t length = static_cast<uint32_t>(input->length()->Number());
  // Set some limit to prevent fuzz tests from going OOM.
  // Can be bumped when callers' requirements change.
-  RUNTIME_ASSERT(length < 100);
+  if (length >= 100) return isolate->ThrowIllegalOperation();
  Handle<FixedArray> output = factory->NewFixedArray(length);
  Handle<Name> maximized = factory->NewStringFromStaticChars("maximized");
  Handle<Name> base = factory->NewStringFromStaticChars("base");
@ -603,8 +603,8 @@ RUNTIME_FUNCTION(Runtime_StringNormalize) {

  CONVERT_ARG_HANDLE_CHECKED(String, s, 0);
  CONVERT_NUMBER_CHECKED(int, form_id, Int32, args[1]);
-  RUNTIME_ASSERT(form_id >= 0 &&
-                 static_cast<size_t>(form_id) < arraysize(normalizationForms));
+  CHECK(form_id >= 0 &&
+        static_cast<size_t>(form_id) < arraysize(normalizationForms));

  int length = s->length();
  s = String::Flatten(s);
@ -621,7 +621,7 @@ RUNTIME_FUNCTION(Runtime_StringNormalize) {
        icu::Normalizer2::getInstance(nullptr, normalizationForms[form_id].name,
                                      normalizationForms[form_id].mode, status);
    DCHECK(U_SUCCESS(status));
-    RUNTIME_ASSERT(normalizer != nullptr);
+    CHECK(normalizer != nullptr);
    int32_t normalized_prefix_length =
        normalizer->spanQuickCheckYes(input, status);
    // Quick return if the input is already normalized.
--- a/src/runtime/runtime-object.cc
+++ b/src/runtime/runtime-object.cc
@ -270,7 +270,7 @@ RUNTIME_FUNCTION(Runtime_OptimizeObjectForAddingMultipleProperties) {
  CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
  CONVERT_SMI_ARG_CHECKED(properties, 1);
  // Conservative upper limit to prevent fuzz tests from going OOM.
-  RUNTIME_ASSERT(properties <= 100000);
+  if (properties > 100000) return isolate->ThrowIllegalOperation();
  if (object->HasFastProperties() && !object->IsJSGlobalProxy()) {
    JSObject::NormalizeProperties(object, KEEP_INOBJECT_PROPERTIES, properties,
                                  "OptimizeForAdding");
--- a/src/runtime/runtime-strings.cc
+++ b/src/runtime/runtime-strings.cc
@ -298,9 +298,11 @@ RUNTIME_FUNCTION(Runtime_SubString) {
    start = FastD2IChecked(from_number);
    end = FastD2IChecked(to_number);
  }
-  RUNTIME_ASSERT(end >= start);
-  RUNTIME_ASSERT(start >= 0);
-  RUNTIME_ASSERT(end <= string->length());
+  // The following condition is intentionally robust because the SubStringStub
+  // delegates here and we test this in cctest/test-strings/RobustSubStringStub.
+  if (end < start || start < 0 || end > string->length()) {
+    return isolate->ThrowIllegalOperation();
+  }
  isolate->counters()->sub_string_runtime()->Increment();

  return *isolate->factory()->NewSubString(string, start, end);
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@ -102,7 +102,11 @@ RUNTIME_FUNCTION(Runtime_IsConcurrentRecompilationSupported) {

 RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
  HandleScope scope(isolate);
-  RUNTIME_ASSERT(args.length() == 1 || args.length() == 2);
+
+  // This function is used by fuzzers, ignore calls with bogus arguments count.
+  if (args.length() != 1 && args.length() != 2) {
+    return isolate->heap()->undefined_value();
+  }

  // This function is used by fuzzers to get coverage for optimizations
  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
@ -113,11 +117,13 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
  }
  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);

-  // The following assertion was lifted from the DCHECK inside
+  // The following condition was lifted from the DCHECK inside
  // JSFunction::MarkForOptimization().
-  RUNTIME_ASSERT(function->shared()->allows_lazy_compilation() ||
-                 (function->code()->kind() == Code::FUNCTION &&
-                  !function->shared()->optimization_disabled()));
+  if (!(function->shared()->allows_lazy_compilation() ||
+        (function->code()->kind() == Code::FUNCTION &&
+         !function->shared()->optimization_disabled()))) {
+    return isolate->heap()->undefined_value();
+  }

  // If the function is already optimized, just return.
  if (function->IsOptimized()) return isolate->heap()->undefined_value();
@ -139,9 +145,13 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {

 RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
  HandleScope scope(isolate);
-  RUNTIME_ASSERT(args.length() == 0 || args.length() == 1);
-  Handle<JSFunction> function = Handle<JSFunction>::null();

+  // This function is used by fuzzers, ignore calls with bogus arguments count.
+  if (args.length() != 0 && args.length() == 1) {
+    return isolate->heap()->undefined_value();
+  }
+
+  Handle<JSFunction> function = Handle<JSFunction>::null();
  if (args.length() == 0) {
    // Find the JavaScript function on the top of the stack.
    JavaScriptFrameIterator it(isolate);
@ -158,10 +168,12 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
    function = arg;
  }

-  // The following assertion was lifted from the DCHECK inside
+  // The following condition was lifted from the DCHECK inside
  // JSFunction::MarkForOptimization().
-  RUNTIME_ASSERT(function->shared()->allows_lazy_compilation() ||
-                 !function->shared()->optimization_disabled());
+  if (!(function->shared()->allows_lazy_compilation() ||
+        !function->shared()->optimization_disabled())) {
+    return isolate->heap()->undefined_value();
+  }

  // If function is interpreted, just return. OSR is not supported.
  // TODO(4764): Remove this check when OSR is enabled in the interpreter.
@ -196,7 +208,7 @@ RUNTIME_FUNCTION(Runtime_NeverOptimizeFunction) {

 RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
  HandleScope scope(isolate);
-  RUNTIME_ASSERT(args.length() == 1 || args.length() == 2);
+  DCHECK(args.length() == 1 || args.length() == 2);
  if (!isolate->use_crankshaft()) {
    return Smi::FromInt(4);  // 4 == "never".
  }
@ -233,9 +245,10 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {

 RUNTIME_FUNCTION(Runtime_UnblockConcurrentRecompilation) {
  DCHECK(args.length() == 0);
-  RUNTIME_ASSERT(FLAG_block_concurrent_recompilation);
-  RUNTIME_ASSERT(isolate->concurrent_recompilation_enabled());
-  isolate->optimizing_compile_dispatcher()->Unblock();
+  if (FLAG_block_concurrent_recompilation &&
+      isolate->concurrent_recompilation_enabled()) {
+    isolate->optimizing_compile_dispatcher()->Unblock();
+  }
  return isolate->heap()->undefined_value();
 }