Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(552)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/builtins.cc

Issue 11348071: Always check copy_size before getting accessor and trying to copy. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Created 8 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 556 matching lines...) Expand 10 before | Expand all | Expand 10 after
567 567
568 int new_length = len + to_add; 568 int new_length = len + to_add;
569 569
570 if (new_length > elms->length()) { 570 if (new_length > elms->length()) {
571 // New backing storage is needed. 571 // New backing storage is needed.
572 int capacity = new_length + (new_length >> 1) + 16; 572 int capacity = new_length + (new_length >> 1) + 16;
573 FixedArray* new_elms; 573 FixedArray* new_elms;
574 MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity); 574 MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity);
575 if (!maybe_obj->To(&new_elms)) return maybe_obj; 575 if (!maybe_obj->To(&new_elms)) return maybe_obj;
576 576
577 ElementsAccessor* accessor = array->GetElementsAccessor(); 577 if (len > 0) {
578 MaybeObject* maybe_failure = 578 ElementsAccessor* accessor = array->GetElementsAccessor();
579 accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj); 579 MaybeObject* maybe_failure =
580 ASSERT(!maybe_failure->IsFailure()); 580 accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj);
581 USE(maybe_failure); 581 ASSERT(!maybe_failure->IsFailure());
582 USE(maybe_failure);
583 }
582 FillWithHoles(heap, new_elms, new_length, capacity); 584 FillWithHoles(heap, new_elms, new_length, capacity);
583 585
584 elms = new_elms; 586 elms = new_elms;
585 } 587 }
586 588
587 // Add the provided values. 589 // Add the provided values.
588 AssertNoAllocation no_gc; 590 AssertNoAllocation no_gc;
589 WriteBarrierMode mode = elms->GetWriteBarrierMode(no_gc); 591 WriteBarrierMode mode = elms->GetWriteBarrierMode(no_gc);
590 for (int index = 0; index < to_add; index++) { 592 for (int index = 0; index < to_add; index++) {
591 elms->set(index + len, args[index + 1], mode); 593 elms->set(index + len, args[index + 1], mode);
(...skipping 22 matching lines...) Expand all
614 616
615 FixedDoubleArray* new_elms; 617 FixedDoubleArray* new_elms;
616 618
617 if (new_length > elms_len) { 619 if (new_length > elms_len) {
618 // New backing storage is needed. 620 // New backing storage is needed.
619 int capacity = new_length + (new_length >> 1) + 16; 621 int capacity = new_length + (new_length >> 1) + 16;
620 MaybeObject* maybe_obj = 622 MaybeObject* maybe_obj =
621 heap->AllocateUninitializedFixedDoubleArray(capacity); 623 heap->AllocateUninitializedFixedDoubleArray(capacity);
622 if (!maybe_obj->To(&new_elms)) return maybe_obj; 624 if (!maybe_obj->To(&new_elms)) return maybe_obj;
623 625
624 ElementsAccessor* accessor = array->GetElementsAccessor(); 626 if (len > 0) {
625 MaybeObject* maybe_failure = 627 ElementsAccessor* accessor = array->GetElementsAccessor();
626 accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj); 628 MaybeObject* maybe_failure =
627 ASSERT(!maybe_failure->IsFailure()); 629 accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj);
628 USE(maybe_failure); 630 ASSERT(!maybe_failure->IsFailure());
631 USE(maybe_failure);
632 }
629 633
630 FillWithHoles(new_elms, len + to_add, new_elms->length()); 634 FillWithHoles(new_elms, len + to_add, new_elms->length());
631 } else { 635 } else {
632 // to_add is > 0 and new_length <= elms_len, so elms_obj cannot be the 636 // to_add is > 0 and new_length <= elms_len, so elms_obj cannot be the
633 // empty_fixed_array. 637 // empty_fixed_array.
634 new_elms = FixedDoubleArray::cast(elms_obj); 638 new_elms = FixedDoubleArray::cast(elms_obj);
635 } 639 }
636 640
637 // Add the provided values. 641 // Add the provided values.
638 AssertNoAllocation no_gc; 642 AssertNoAllocation no_gc;
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
776 DONT_ALLOW_DOUBLE_ELEMENTS); 780 DONT_ALLOW_DOUBLE_ELEMENTS);
777 if (maybe_object->IsFailure()) return maybe_object; 781 if (maybe_object->IsFailure()) return maybe_object;
778 782
779 if (new_length > elms->length()) { 783 if (new_length > elms->length()) {
780 // New backing storage is needed. 784 // New backing storage is needed.
781 int capacity = new_length + (new_length >> 1) + 16; 785 int capacity = new_length + (new_length >> 1) + 16;
782 FixedArray* new_elms; 786 FixedArray* new_elms;
783 MaybeObject* maybe_elms = heap->AllocateUninitializedFixedArray(capacity); 787 MaybeObject* maybe_elms = heap->AllocateUninitializedFixedArray(capacity);
784 if (!maybe_elms->To(&new_elms)) return maybe_elms; 788 if (!maybe_elms->To(&new_elms)) return maybe_elms;
785 789
786 ElementsKind kind = array->GetElementsKind(); 790 if (len > 0) {
787 ElementsAccessor* accessor = array->GetElementsAccessor(); 791 ElementsKind kind = array->GetElementsKind();
788 MaybeObject* maybe_failure = 792 ElementsAccessor* accessor = array->GetElementsAccessor();
789 accessor->CopyElements(array, 0, new_elms, kind, to_add, len, elms); 793 MaybeObject* maybe_failure =
790 ASSERT(!maybe_failure->IsFailure()); 794 accessor->CopyElements(array, 0, new_elms, kind, to_add, len, elms);
791 USE(maybe_failure); 795 ASSERT(!maybe_failure->IsFailure());
796 USE(maybe_failure);
797 }
792 798
793 FillWithHoles(heap, new_elms, new_length, capacity); 799 FillWithHoles(heap, new_elms, new_length, capacity);
794 elms = new_elms; 800 elms = new_elms;
795 array->set_elements(elms); 801 array->set_elements(elms);
796 } else { 802 } else {
797 AssertNoAllocation no_gc; 803 AssertNoAllocation no_gc;
798 MoveElements(heap, &no_gc, elms, to_add, elms, 0, len); 804 MoveElements(heap, &no_gc, elms, to_add, elms, 0, len);
799 } 805 }
800 806
801 // Add the provided values. 807 // Add the provided values.
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after
922 int final = (relative_end < 0) ? Max(len + relative_end, 0) 928 int final = (relative_end < 0) ? Max(len + relative_end, 0)
923 : Min(relative_end, len); 929 : Min(relative_end, len);
924 930
925 // Calculate the length of result array. 931 // Calculate the length of result array.
926 int result_len = Max(final - k, 0); 932 int result_len = Max(final - k, 0);
927 933
928 JSArray* result_array; 934 JSArray* result_array;
929 MaybeObject* maybe_array = heap->AllocateJSArrayAndStorage(kind, 935 MaybeObject* maybe_array = heap->AllocateJSArrayAndStorage(kind,
930 result_len, 936 result_len,
931 result_len); 937 result_len);
938
939 if (result_len == 0) return maybe_array;
932 if (!maybe_array->To(&result_array)) return maybe_array; 940 if (!maybe_array->To(&result_array)) return maybe_array;
933 941
934 ElementsAccessor* accessor = object->GetElementsAccessor(); 942 ElementsAccessor* accessor = object->GetElementsAccessor();
935 MaybeObject* maybe_failure = 943 MaybeObject* maybe_failure =
936 accessor->CopyElements(object, k, result_array->elements(), 944 accessor->CopyElements(object, k, result_array->elements(),
937 kind, 0, result_len, elms); 945 kind, 0, result_len, elms);
938 ASSERT(!maybe_failure->IsFailure()); 946 ASSERT(!maybe_failure->IsFailure());
939 USE(maybe_failure); 947 USE(maybe_failure);
940 948
941 return result_array; 949 return result_array;
(...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after
1088 ASSERT((item_count - actual_delete_count) <= (Smi::kMaxValue - len)); 1096 ASSERT((item_count - actual_delete_count) <= (Smi::kMaxValue - len));
1089 1097
1090 // Check if array need to grow. 1098 // Check if array need to grow.
1091 if (new_length > elms->length()) { 1099 if (new_length > elms->length()) {
1092 // New backing storage is needed. 1100 // New backing storage is needed.
1093 int capacity = new_length + (new_length >> 1) + 16; 1101 int capacity = new_length + (new_length >> 1) + 16;
1094 FixedArray* new_elms; 1102 FixedArray* new_elms;
1095 MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity); 1103 MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity);
1096 if (!maybe_obj->To(&new_elms)) return maybe_obj; 1104 if (!maybe_obj->To(&new_elms)) return maybe_obj;
1097 1105
1098 // Copy the part before actual_start as is.
1099 ElementsKind kind = array->GetElementsKind(); 1106 ElementsKind kind = array->GetElementsKind();
1100 ElementsAccessor* accessor = array->GetElementsAccessor(); 1107 ElementsAccessor* accessor = array->GetElementsAccessor();
1101 MaybeObject* maybe_failure = accessor->CopyElements( 1108 if (actual_start > 0) {
1102 array, 0, new_elms, kind, 0, actual_start, elms); 1109 // Copy the part before actual_start as is.
1103 ASSERT(!maybe_failure->IsFailure()); 1110 MaybeObject* maybe_failure = accessor->CopyElements(
1104 USE(maybe_failure); 1111 array, 0, new_elms, kind, 0, actual_start, elms);
1112 ASSERT(!maybe_failure->IsFailure());
1113 USE(maybe_failure);
1114 }
1105 const int to_copy = len - actual_delete_count - actual_start; 1115 const int to_copy = len - actual_delete_count - actual_start;
1106 maybe_failure = accessor->CopyElements( 1116 if (to_copy > 0) {
1107 array, actual_start + actual_delete_count, new_elms, kind, 1117 MaybeObject* maybe_failure = accessor->CopyElements(
1108 actual_start + item_count, to_copy, elms); 1118 array, actual_start + actual_delete_count, new_elms, kind,
1109 ASSERT(!maybe_failure->IsFailure()); 1119 actual_start + item_count, to_copy, elms);
1110 USE(maybe_failure); 1120 ASSERT(!maybe_failure->IsFailure());
1121 USE(maybe_failure);
1122 }
1111 1123
1112 FillWithHoles(heap, new_elms, new_length, capacity); 1124 FillWithHoles(heap, new_elms, new_length, capacity);
1113 1125
1114 elms_obj = new_elms; 1126 elms_obj = new_elms;
1115 elms_changed = true; 1127 elms_changed = true;
1116 } else { 1128 } else {
1117 AssertNoAllocation no_gc; 1129 AssertNoAllocation no_gc;
1118 MoveElements(heap, &no_gc, 1130 MoveElements(heap, &no_gc,
1119 elms, actual_start + item_count, 1131 elms, actual_start + item_count,
1120 elms, actual_start + actual_delete_count, 1132 elms, actual_start + actual_delete_count,
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
1179 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt); 1191 STATIC_ASSERT(FixedArray::kMaxLength < kHalfOfMaxInt);
1180 USE(kHalfOfMaxInt); 1192 USE(kHalfOfMaxInt);
1181 result_len += len; 1193 result_len += len;
1182 ASSERT(result_len >= 0); 1194 ASSERT(result_len >= 0);
1183 1195
1184 if (result_len > FixedDoubleArray::kMaxLength) { 1196 if (result_len > FixedDoubleArray::kMaxLength) {
1185 return CallJsBuiltin(isolate, "ArrayConcat", args); 1197 return CallJsBuiltin(isolate, "ArrayConcat", args);
1186 } 1198 }
1187 1199
1188 ElementsKind arg_kind = JSArray::cast(arg)->map()->elements_kind(); 1200 ElementsKind arg_kind = JSArray::cast(arg)->map()->elements_kind();
1189 ElementsKind packed_kind = GetPackedElementsKind(arg_kind); 1201 if (IsMoreGeneralElementsKindTransition(elements_kind, arg_kind)) {
1190 if (IsMoreGeneralElementsKindTransition( 1202 elements_kind = IsFastHoleyElementsKind(elements_kind)
1191 GetPackedElementsKind(elements_kind), packed_kind)) { 1203 ? GetHoleyElementsKind(arg_kind) : arg_kind;
1192 if (IsFastHoleyElementsKind(elements_kind)) {
1193 elements_kind = GetHoleyElementsKind(arg_kind);
1194 } else {
1195 elements_kind = arg_kind;
1196 }
1197 } 1204 }
1198 } 1205 }
1199 1206
1200 JSArray* result_array; 1207 JSArray* result_array;
1201 // Allocate result. 1208 // Allocate result.
1202 MaybeObject* maybe_array = 1209 MaybeObject* maybe_array =
1203 heap->AllocateJSArrayAndStorage(elements_kind, 1210 heap->AllocateJSArrayAndStorage(elements_kind,
1204 result_len, 1211 result_len,
1205 result_len); 1212 result_len);
1206 if (!maybe_array->To(&result_array)) return maybe_array; 1213 if (!maybe_array->To(&result_array)) return maybe_array;
1207 if (result_len == 0) return result_array; 1214 if (result_len == 0) return result_array;
1208 1215
1209 int j = 0; 1216 int j = 0;
1210 FixedArrayBase* storage = result_array->elements(); 1217 FixedArrayBase* storage = result_array->elements();
1211 for (int i = 0; i < n_arguments; i++) { 1218 for (int i = 0; i < n_arguments; i++) {
1212 JSArray* array = JSArray::cast(args[i]); 1219 JSArray* array = JSArray::cast(args[i]);
1213 ElementsAccessor* accessor = array->GetElementsAccessor();
1214 int len = Smi::cast(array->length())->value(); 1220 int len = Smi::cast(array->length())->value();
1215 MaybeObject* maybe_failure = 1221 if (len > 0) {
1216 accessor->CopyElements(array, 0, storage, elements_kind, j, len); 1222 ElementsAccessor* accessor = array->GetElementsAccessor();
1217 if (maybe_failure->IsFailure()) return maybe_failure; 1223 MaybeObject* maybe_failure =
1218 j += len; 1224 accessor->CopyElements(array, 0, storage, elements_kind, j, len);
1225 if (maybe_failure->IsFailure()) return maybe_failure;
1226 j += len;
1227 }
1219 } 1228 }
1220 1229
1221 ASSERT(j == result_len); 1230 ASSERT(j == result_len);
1222 1231
1223 return result_array; 1232 return result_array;
1224 } 1233 }
1225 1234
1226 1235
1227 // ----------------------------------------------------------------------------- 1236 // -----------------------------------------------------------------------------
1228 // Strict mode poison pills 1237 // Strict mode poison pills
(...skipping 692 matching lines...) Expand 10 before | Expand all | Expand 10 after
1921 return Handle<Code>(code_address); \ 1930 return Handle<Code>(code_address); \
1922 } 1931 }
1923 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C) 1932 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C)
1924 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A) 1933 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A)
1925 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) 1934 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A)
1926 #undef DEFINE_BUILTIN_ACCESSOR_C 1935 #undef DEFINE_BUILTIN_ACCESSOR_C
1927 #undef DEFINE_BUILTIN_ACCESSOR_A 1936 #undef DEFINE_BUILTIN_ACCESSOR_A
1928 1937
1929 1938
1930 } } // namespace v8::internal 1939 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698