From d69df91c27018affdba41f89abea59ff4887c30b Mon Sep 17 00:00:00 2001
From: Peter Marshall <petermarshall@chromium.org>
Date: Thu, 14 Jun 2018 15:40:16 +0200
Subject: [PATCH] [typedarray] Fix incorrect access to typed array byte offset.

Byte offset can be outside of Smi range and must be loaded as a Number
rather than a Smi.

Bug: chromium:852258
Change-Id: Ida6e07ba68a050d4f5a9f28500986cc67c619b4c
Reviewed-on: https://chromium-review.googlesource.com/1100886
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53748}
---
 src/builtins/builtins-typed-array-gen.cc | 17 +++++++++++++----
 test/mjsunit/regress/regress-852258.js   | 11 +++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-852258.js

diff --git a/src/builtins/builtins-typed-array-gen.cc b/src/builtins/builtins-typed-array-gen.cc
index 16e90544fa..5461ae4035 100644
--- a/src/builtins/builtins-typed-array-gen.cc
+++ b/src/builtins/builtins-typed-array-gen.cc
@@ -1365,15 +1365,24 @@ TF_BUILTIN(TypedArrayPrototypeSlice, TypedArrayBuiltinsAssembler) {
     TNode<IntPtrT> count_bytes = IntPtrMul(SmiToIntPtr(count), source_el_size);
 
 #ifdef DEBUG
-    TNode<IntPtrT> target_byte_length =
-        LoadAndUntagObjectField(result_array, JSTypedArray::kByteLengthOffset);
+    Label done(this), to_intptr_failed(this, Label::kDeferred);
+    TNode<IntPtrT> target_byte_length = TryToIntptr(
+        LoadObjectField<Number>(result_array, JSTypedArray::kByteLengthOffset),
+        &to_intptr_failed);
     CSA_ASSERT(this, IntPtrLessThanOrEqual(count_bytes, target_byte_length));
 
-    TNode<IntPtrT> source_byte_length =
-        LoadAndUntagObjectField(source, JSTypedArray::kByteLengthOffset);
+    TNode<IntPtrT> source_byte_length = TryToIntptr(
+        LoadObjectField<Number>(source, JSTypedArray::kByteLengthOffset),
+        &to_intptr_failed);
     TNode<IntPtrT> source_size_in_bytes =
         IntPtrSub(source_byte_length, source_start_bytes);
     CSA_ASSERT(this, IntPtrLessThanOrEqual(count_bytes, source_size_in_bytes));
+    Goto(&done);
+
+    BIND(&to_intptr_failed);
+    Unreachable();
+
+    BIND(&done);
 #endif  // DEBUG
 
     CallCMemmove(target_data_ptr, source_start, count_bytes);
diff --git a/test/mjsunit/regress/regress-852258.js b/test/mjsunit/regress/regress-852258.js
new file mode 100644
index 0000000000..0cf1a45c71
--- /dev/null
+++ b/test/mjsunit/regress/regress-852258.js
@@ -0,0 +1,11 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+try {
+  let ta0 = new Int16Array(0x24924925);
+  let ta2 = ta0.slice(1);
+  let ta1 = ta0.slice(0x24924924);
+} catch (e) {
+  // Allocation failed, that's fine.
+}