AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Make Runtime_Apply safer.

Browse Source 
There is a call to Object::GetElement that could conceivably cause a GC.
Handlify all raw pointer local variables.

R=vegorov@chromium.org
BUG=
TEST=

Review URL: http://codereview.chromium.org/8952028

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10319 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
kmillikin@chromium.org 2012-01-02 15:22:21 +00:00
parent 49acd1843b
commit b75beff3fc
1 changed files with 8 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/runtime.cc
View File

@ -1,4 +1,4 @@
// Copyright 2011 the V8 project authors. All rights reserved. // Copyright 2012 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without // Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are // modification, are permitted provided that the following conditions are
// met: // met:
@ -8707,14 +8707,11 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_Call) {
RUNTIME_FUNCTION(MaybeObject*, Runtime_Apply) { RUNTIME_FUNCTION(MaybeObject*, Runtime_Apply) {
HandleScope scope(isolate); HandleScope scope(isolate);
ASSERT(args.length() == 5); ASSERT(args.length() == 5);
CONVERT_CHECKED(JSReceiver, fun, args[0]); CONVERT_ARG_CHECKED(JSReceiver, fun, 0);
Object* receiver = args[1]; Handle<Object> receiver = args.at<Object>(1);
CONVERT_CHECKED(JSObject, arguments, args[2]); CONVERT_ARG_CHECKED(JSObject, arguments, 2);
CONVERT_CHECKED(Smi, shift, args[3]); CONVERT_SMI_ARG_CHECKED(offset, 3);
CONVERT_CHECKED(Smi, arity, args[4]); CONVERT_SMI_ARG_CHECKED(argc, 4);
int offset = shift->value();
int argc = arity->value();
ASSERT(offset >= 0); ASSERT(offset >= 0);
ASSERT(argc >= 0); ASSERT(argc >= 0);
@ -8730,17 +8727,12 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_Apply) {
} }
for (int i = 0; i < argc; ++i) { for (int i = 0; i < argc; ++i) {
MaybeObject* maybe = arguments->GetElement(offset + i); argv[i] = Object::GetElement(arguments, offset + i);
Object* object;
if (!maybe->To<Object>(&object)) return maybe;
argv[i] = Handle<Object>(object);
} }
bool threw; bool threw;
Handle<JSReceiver> hfun(fun);
Handle<Object> hreceiver(receiver);
Handle<Object> result = Handle<Object> result =
Execution::Call(hfun, hreceiver, argc, argv, &threw, true); Execution::Call(fun, receiver, argc, argv, &threw, true);
if (threw) return Failure::Exception(); if (threw) return Failure::Exception();
return *result; return *result;