| Index: src/runtime.cc
|
| diff --git a/src/runtime.cc b/src/runtime.cc
|
| index 5fe1f9dc5bcb33a93581e2f2ed100d58cfe5c5f0..2fe6ad1eae6babe8faf3216f3837c7dfe49e0f27 100644
|
| --- a/src/runtime.cc
|
| +++ b/src/runtime.cc
|
| @@ -8962,14 +8962,18 @@ class ArrayConcatVisitor {
|
| storage_(Handle<FixedArray>::cast(
|
| isolate->global_handles()->Create(*storage))),
|
| index_offset_(0u),
|
| - fast_elements_(fast_elements) { }
|
| + fast_elements_(fast_elements),
|
| + exceeds_array_limit_(false) { }
|
|
|
| ~ArrayConcatVisitor() {
|
| clear_storage();
|
| }
|
|
|
| void visit(uint32_t i, Handle<Object> elm) {
|
| - if (i >= JSObject::kMaxElementCount - index_offset_) return;
|
| + if (i > JSObject::kMaxElementCount - index_offset_) {
|
| + exceeds_array_limit_ = true;
|
| + return;
|
| + }
|
| uint32_t index = index_offset_ + i;
|
|
|
| if (fast_elements_) {
|
| @@ -9004,6 +9008,10 @@ class ArrayConcatVisitor {
|
| }
|
| }
|
|
|
| + bool exceeds_array_limit() {
|
| + return exceeds_array_limit_;
|
| + }
|
| +
|
| Handle<JSArray> ToArray() {
|
| Handle<JSArray> array = isolate_->factory()->NewJSArray(0);
|
| Handle<Object> length =
|
| @@ -9063,6 +9071,7 @@ class ArrayConcatVisitor {
|
| // JSObject::kMaxElementCount.
|
| uint32_t index_offset_;
|
| bool fast_elements_;
|
| + bool exceeds_array_limit_;
|
| };
|
|
|
|
|
| @@ -9618,6 +9627,11 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_ArrayConcat) {
|
| }
|
| }
|
|
|
| + if (visitor.exceeds_array_limit()) {
|
| + return isolate->Throw(
|
| + *isolate->factory()->NewRangeError("invalid_array_length",
|
| + HandleVector<Object>(NULL, 0)));
|
| + }
|
| return *visitor.ToArray();
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 13465008:
Fix Array.prototype.concat when exceeding array size limit. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge