src/runtime.cc - Issue 13465008: Fix Array.prototype.concat when exceeding array size limit.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/runtime.cc

Issue 13465008: Fix Array.prototype.concat when exceeding array size limit. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 7 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/runtime.cc

diff --git a/src/runtime.cc b/src/runtime.cc

index 5fe1f9dc5bcb33a93581e2f2ed100d58cfe5c5f0..7f0d38f7e1b4f9eda62885cf4f403dcdadfa4219 100644

--- a/src/runtime.cc

+++ b/src/runtime.cc

@@ -8962,14 +8962,18 @@ class ArrayConcatVisitor {

storage_(Handle<FixedArray>::cast(

isolate->global_handles()->Create(*storage))),

index_offset_(0u),

- fast_elements_(fast_elements) { }

+ fast_elements_(fast_elements),

+ exceeds_array_limit_(false) { }

~ArrayConcatVisitor() {

clear_storage();

}

void visit(uint32_t i, Handle<Object> elm) {

- if (i >= JSObject::kMaxElementCount - index_offset_) return;

+ if (i >= JSObject::kMaxElementCount - index_offset_) {

Toon Verwaest 2013/04/04 12:52:24 Seems like an off-by-one error. What about index_o

+ exceeds_array_limit_ = true;

+ return;

+ }

uint32_t index = index_offset_ + i;

if (fast_elements_) {

@@ -9004,7 +9008,12 @@ class ArrayConcatVisitor {

}

- Handle<JSArray> ToArray() {

+ Handle<Object> ToArray() {

+ if (exceeds_array_limit_) {

+ // Index exceeds the array size limit, so that elements would be stored

+ // as properties are missing.

+ return Handle<Smi>(Smi::FromInt(0), isolate_);

+ }

Handle<JSArray> array = isolate_->factory()->NewJSArray(0);

Handle<Object> length =

isolate_->factory()->NewNumber(static_cast<double>(index_offset_));

@@ -9063,6 +9072,7 @@ class ArrayConcatVisitor {

// JSObject::kMaxElementCount.

uint32_t index_offset_;

bool fast_elements_;

+ bool exceeds_array_limit_;

};

« no previous file with comments | « src/array.js ('k') | test/mjsunit/regress/regress-581.js » ('j') | no next file with comments »