Commit 0855fb15 authored by Jakob Gruber's avatar Jakob Gruber Committed by Commit Bot

[array] Ensure PrepareElementsForSort returns a legal value

PrepareElementsForSort must return a number less than or equal the array
length.

Bug: chromium:897512, v8:7382
Change-Id: If5f9c4d052e623ab9f3300b8534603abbee859fa
Reviewed-on: https://chromium-review.googlesource.com/c/1297958
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56982}
parent 3f0a307b
...@@ -154,7 +154,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver, ...@@ -154,7 +154,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver,
MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception()); MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception());
} }
return *isolate->factory()->NewNumberFromUint(result); // TODO(jgruber, szuend, chromium:897512): This is a workaround to prevent
// returning a number greater than array.length to Array.p.sort, which could
// trigger OOB accesses. There is still a correctness bug here though in
// how we shift around undefineds and delete elements in the two blocks above.
// This needs to be fixed soon.
const uint32_t number_of_non_undefined_elements = std::min(limit, result);
return *isolate->factory()->NewNumberFromUint(
number_of_non_undefined_elements);
} }
// Collects all defined (non-hole) and non-undefined (array) elements at the // Collects all defined (non-hole) and non-undefined (array) elements at the
...@@ -171,6 +179,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver, ...@@ -171,6 +179,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
Handle<JSObject> object = Handle<JSObject>::cast(receiver); Handle<JSObject> object = Handle<JSObject>::cast(receiver);
if (object->HasStringWrapperElements()) { if (object->HasStringWrapperElements()) {
int len = String::cast(Handle<JSValue>::cast(object)->value())->length(); int len = String::cast(Handle<JSValue>::cast(object)->value())->length();
DCHECK_LE(len, limit);
return Smi::FromInt(len); return Smi::FromInt(len);
} }
...@@ -293,6 +302,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver, ...@@ -293,6 +302,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
} }
} }
DCHECK_LE(result, limit);
return *isolate->factory()->NewNumberFromUint(result); return *isolate->factory()->NewNumberFromUint(result);
} }
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Fill up the Array prototype's elements.
for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14);
// Create a holey double elements array.
const o31 = [1.1];
o31[37] = 2.2;
// Concat converts to dictionary elements.
const o51 = o31.concat(false);
// Set one element to undefined to trigger the movement bug.
o51[0] = undefined;
assertEquals(o51.length, 39);
// Sort triggers the bug.
o51.sort();
// TODO(chromium:897512): The length should be 39.
assertEquals(o51.length, 101);
...@@ -1716,7 +1716,6 @@ module array { ...@@ -1716,7 +1716,6 @@ module array {
// 2. Let obj be ? ToObject(this value). // 2. Let obj be ? ToObject(this value).
const obj: JSReceiver = ToObject(context, receiver); const obj: JSReceiver = ToObject(context, receiver);
let map: Map = obj.map;
const sortState: FixedArray = AllocateZeroedFixedArray(kSortStateSize); const sortState: FixedArray = AllocateZeroedFixedArray(kSortStateSize);
...@@ -1724,22 +1723,24 @@ module array { ...@@ -1724,22 +1723,24 @@ module array {
sortState[kUserCmpFnIdx] = comparefnObj; sortState[kUserCmpFnIdx] = comparefnObj;
sortState[kSortComparePtrIdx] = sortState[kSortComparePtrIdx] =
comparefnObj != Undefined ? SortCompareUserFn : SortCompareDefault; comparefnObj != Undefined ? SortCompareUserFn : SortCompareDefault;
sortState[kInitialReceiverMapIdx] = map;
sortState[kBailoutStatusIdx] = kSuccess; sortState[kBailoutStatusIdx] = kSuccess;
try { // 3. Let len be ? ToLength(? Get(obj, "length")).
const a: FastJSArray = Cast<FastJSArray>(receiver) otherwise Slow; const len: Number = GetLengthProperty(obj);
// 3. Let len be ? ToLength(? Get(obj, "length")). if (len < 2) return receiver;
const len: Smi = a.length;
if (len < 2) return receiver;
// TODO(szuend): Investigate performance tradeoff of skipping this step // TODO(szuend): Investigate performance tradeoff of skipping this step
// for PACKED_* and handling Undefineds during sorting. // for PACKED_* and handling Undefineds during sorting.
const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len); const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
assert(a.map == map); assert(nofNonUndefined <= len);
sortState[kInitialReceiverLengthIdx] = len; let map: Map = obj.map;
sortState[kInitialReceiverMapIdx] = map;
sortState[kInitialReceiverLengthIdx] = len;
try {
let a: FastJSArray = Cast<FastJSArray>(receiver) otherwise Slow;
const elementsKind: ElementsKind = map.elements_kind; const elementsKind: ElementsKind = map.elements_kind;
if (IsDoubleElementsKind(elementsKind)) { if (IsDoubleElementsKind(elementsKind)) {
...@@ -1752,18 +1753,6 @@ module array { ...@@ -1752,18 +1753,6 @@ module array {
ArrayTimSort(context, sortState, nofNonUndefined); ArrayTimSort(context, sortState, nofNonUndefined);
} }
label Slow { label Slow {
// 3. Let len be ? ToLength(? Get(obj, "length")).
const len: Number = GetLengthProperty(obj);
if (len < 2) return receiver;
const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
sortState[kInitialReceiverLengthIdx] = len;
// Reload the map, PrepareElementsForSort might have changed the
// elements kind.
map = obj.map;
if (map.elements_kind == DICTIONARY_ELEMENTS && IsExtensibleMap(map) && if (map.elements_kind == DICTIONARY_ELEMENTS && IsExtensibleMap(map) &&
!IsCustomElementsReceiverInstanceType(map.instance_type)) { !IsCustomElementsReceiverInstanceType(map.instance_type)) {
InitializeSortStateAccessor<DictionaryElements>(sortState); InitializeSortStateAccessor<DictionaryElements>(sortState);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment