AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Harden more runtime functions

Browse Source 
BUG=chromium:372239
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/282493005

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21271 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
jkummerow@chromium.org 2014-05-12 15:30:00 +00:00
parent 3ccedf8952
commit a3a5642097
4 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/hydrogen.cc
View File

@ -8889,10 +8889,20 @@ void HOptimizedGraphBuilder::GenerateTypedArrayInitialize(
CHECK_ALIVE(VisitForValue(arguments->at(kObjectArg)));
HValue* obj = Pop();
ASSERT(arguments->at(kArrayIdArg)->node_type() == AstNode::kLiteral);
if (arguments->at(kArrayIdArg)->node_type() != AstNode::kLiteral) {
// This should never happen in real use, but can happen when fuzzing.
// Just bail out.
Bailout(kNeedSmiLiteral);
return;
}
Handle<Object> value =
static_cast<Literal*>(arguments->at(kArrayIdArg))->value();
ASSERT(value->IsSmi());
if (!value->IsSmi()) {
// This should never happen in real use, but can happen when fuzzing.
// Just bail out.
Bailout(kNeedSmiLiteral);
return;
}
int array_id = Smi::cast(*value)->value();
HValue* buffer;

2
src/objects-inl.h
View File

@ -5125,7 +5125,7 @@ SMI_ACCESSORS(SharedFunctionInfo, profiler_ticks, kProfilerTicksOffset)
void holder::set_##name(int value) { \
ASSERT(kHeapObjectTag == 1); \
ASSERT((value & 0xC0000000) == 0xC0000000 || \
(value & 0xC0000000) == 0x000000000); \
(value & 0xC0000000) == 0x0); \
WRITE_INT_FIELD(this, \
offset, \
(value << 1) & ~kHeapObjectTag); \

1
src/objects.h
View File

@ -1166,6 +1166,7 @@ template <class C> inline bool Is(Object* obj);
V(kModuleVariable, "Module variable") \
V(kModuleUrl, "Module url") \
V(kNativeFunctionLiteral, "Native function literal") \
V(kNeedSmiLiteral, "Need a Smi literal here") \
V(kNoCasesLeft, "No cases left") \
V(kNoEmptyArraysHereInEmitFastAsciiArrayJoin, \
"No empty arrays here in EmitFastAsciiArrayJoin") \

5
src/runtime.cc
View File

@ -3030,6 +3030,8 @@ RUNTIME_FUNCTION(Runtime_FunctionSetLength) {
CONVERT_ARG_CHECKED(JSFunction, fun, 0);
CONVERT_SMI_ARG_CHECKED(length, 1);
RUNTIME_ASSERT((length & 0xC0000000) == 0xC0000000 ||
(length & 0xC0000000) == 0x0);
fun->shared()->set_length(length);
return isolate->heap()->undefined_value();
}
@ -4882,6 +4884,7 @@ RUNTIME_FUNCTION(Runtime_NumberToFixed) {
int f = FastD2IChecked(f_number);
// See DoubleToFixedCString for these constants:
RUNTIME_ASSERT(f >= 0 && f <= 20);
RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToFixedCString(value, f);
Handle<String> result = isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
@ -4897,6 +4900,7 @@ RUNTIME_FUNCTION(Runtime_NumberToExponential) {
CONVERT_DOUBLE_ARG_CHECKED(f_number, 1);
int f = FastD2IChecked(f_number);
RUNTIME_ASSERT(f >= -1 && f <= 20);
RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToExponentialCString(value, f);
Handle<String> result = isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);
@ -4912,6 +4916,7 @@ RUNTIME_FUNCTION(Runtime_NumberToPrecision) {
CONVERT_DOUBLE_ARG_CHECKED(f_number, 1);
int f = FastD2IChecked(f_number);
RUNTIME_ASSERT(f >= 1 && f <= 21);
RUNTIME_ASSERT(!Double(value).IsSpecial());
char* str = DoubleToPrecisionCString(value, f);
Handle<String> result = isolate->factory()->NewStringFromAsciiChecked(str);
DeleteArray(str);