Check new length in array splice and unshift.

If the new length is too large, we must throw a TypeError. Bug: v8:7652 Change-Id: I47268c04405f7a5f5bbc971cd434f2d786af9ca1 Reviewed-on: https://chromium-review.googlesource.com/1013563Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#52624}

Check new length in array splice and unshift.
If the new length is too large, we must throw a TypeError. Bug: v8:7652 Change-Id: I47268c04405f7a5f5bbc971cd434f2d786af9ca1 Reviewed-on: https://chromium-review.googlesource.com/1013563Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#52624}
00a3bfac · Georg Neis · Commit Bot · 2279dda6 · 00a3bfac · 00a3bfac
Commit 00a3bfac authored Apr 16, 2018 by Georg Neis Committed by Commit Bot Apr 16, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 13 deletions

array.js src/js/array.js +22 -13

regress-7652.js test/mjsunit/regress/regress-7652.js +14 -0

No files found.
--- a/src/js/array.js
+++ b/src/js/array.js
@@ -561,20 +561,24 @@ function ArrayUnshiftFallback(arg1) {  // length == 1
  var len = TO_LENGTH(array.length);
  var num_arguments = arguments.length;

-  if (len > 0 && UseSparseVariant(array, len, IS_ARRAY(array), len) &&
-      !%object_is_sealed(array)) {
-    SparseMove(array, 0, 0, len, num_arguments);
-  } else {
-    SimpleMove(array, 0, 0, len, num_arguments);
-  }
+  const new_len = len + num_arguments;
+  if (num_arguments > 0) {
+    if (new_len >= 2**53) throw %make_type_error(kInvalidArrayLength);

-  for (var i = 0; i < num_arguments; i++) {
-    array[i] = arguments[i];
+    if (len > 0 && UseSparseVariant(array, len, IS_ARRAY(array), len) &&
+        !%object_is_sealed(array)) {
+      SparseMove(array, 0, 0, len, num_arguments);
+    } else {
+      SimpleMove(array, 0, 0, len, num_arguments);
+    }
+
+    for (var i = 0; i < num_arguments; i++) {
+      array[i] = arguments[i];
+    }
  }

-  var new_length = len + num_arguments;
-  array.length = new_length;
-  return new_length;
+  array.length = new_len;
+  return new_len;
 }


@@ -624,9 +628,14 @@ function ArraySpliceFallback(start, delete_count) {
  var start_i = ComputeSpliceStartIndex(TO_INTEGER(start), len);
  var del_count = ComputeSpliceDeleteCount(delete_count, num_arguments, len,
                                           start_i);
+  var num_elements_to_add = num_arguments > 2 ? num_arguments - 2 : 0;
+
+  const new_len = len - del_count + num_elements_to_add;
+  if (new_len >= 2**53) throw %make_type_error(kInvalidArrayLength);
+
  var deleted_elements = ArraySpeciesCreate(array, del_count);
  deleted_elements.length = del_count;
-  var num_elements_to_add = num_arguments > 2 ? num_arguments - 2 : 0;
+

  if (del_count != num_elements_to_add && %object_is_sealed(array)) {
    throw %make_type_error(kArrayFunctionsOnSealed);
@@ -658,7 +667,7 @@ function ArraySpliceFallback(start, delete_count) {
  while (arguments_index < arguments_length) {
    array[i++] = arguments[arguments_index++];
  }
-  array.length = len - del_count + num_elements_to_add;
+  array.length = new_len;

  // Return the deleted elements.
  return deleted_elements;

--- a/test/mjsunit/regress/regress-7652.js
+++ b/test/mjsunit/regress/regress-7652.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let a = {length: 2**53 - 1};
+
+const unshift = Array.prototype.unshift;
+assertThrows(() => unshift.call(a, 42), TypeError);
+assertEquals(unshift.call(a), 2**53 - 1);
+
+const splice = Array.prototype.splice;
+assertThrows(() => splice.call(a, 0, 0, 42), TypeError);
+assertEquals(splice.call(a, 0, 1, 42).length, 1);
+assertEquals(a[0], 42);