Fix splice bug in handling of negative arguments length

Bug: chromium:778668 Change-Id: Ie75f2ecb9e6134b6eb57c7d7fb6ea33cbb2fc2bf Reviewed-on: https://chromium-review.googlesource.com/753324 Commit-Queue: Daniel Clifford <danno@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#49301}
2017-11-10 15:22:44 +01:00 · 2017-11-10 15:22:44 +01:00 · d5885ca2b9
commit d5885ca2b9
parent 65d2f6e107
2 changed files with 24 additions and 0 deletions
--- a/src/builtins/builtins-array-gen.cc
+++ b/src/builtins/builtins-array-gen.cc
@ -1109,6 +1109,8 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
    Node* elements_kind = LoadMapElementsKind(map);
    GotoIfNot(IsFastElementsKind(elements_kind), &try_simple_slice);

+    CSA_ASSERT(this, SmiGreaterThanOrEqual(from, SmiConstant(0)));
+
    result.Bind(CallStub(CodeFactory::ExtractFastJSArray(isolate()), context,
                         array, from, count));
    Goto(&done);
@ -1134,6 +1136,8 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
    GotoIf(SmiAboveOrEqual(count, SmiConstant(max_fast_elements)),
           &try_simple_slice);

+    GotoIf(SmiLessThan(from, SmiConstant(0)), slow);
+
    Node* end = SmiAdd(from, count);

    Node* unmapped_elements = LoadFixedArrayElement(
--- a/test/mjsunit/regress/regress-778668.js
+++ b/test/mjsunit/regress/regress-778668.js
@ -0,0 +1,20 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function () {
+  function f( __v_59960) {
+    arguments.length = -5;
+    Array.prototype.slice.call(arguments);
+  }
+  f('a')
+})();
+
+(function () {
+  function f( __v_59960) {
+    arguments.length = 2.3;
+    print(arguments.length);
+    Array.prototype.slice.call(arguments);
+  }
+  f('a')
+})();