Commit 087ae1b0 authored by jkummerow's avatar jkummerow Committed by Commit bot

Fix off-by-one in Array.concat's max index check

The maximum valid index is strictly smaller than the maximum valid length.

BUG=chromium:516592
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1278703003

Cr-Commit-Position: refs/heads/master@{#30040}
parent ee005fbb
...@@ -133,7 +133,7 @@ class ArrayConcatVisitor { ...@@ -133,7 +133,7 @@ class ArrayConcatVisitor {
~ArrayConcatVisitor() { clear_storage(); } ~ArrayConcatVisitor() { clear_storage(); }
void visit(uint32_t i, Handle<Object> elm) { void visit(uint32_t i, Handle<Object> elm) {
if (i > JSObject::kMaxElementCount - index_offset_) { if (i >= JSObject::kMaxElementCount - index_offset_) {
set_exceeds_array_limit(true); set_exceeds_array_limit(true);
return; return;
} }
......
...@@ -36,7 +36,6 @@ assertThrows(function() { a.concat(a); }, RangeError); ...@@ -36,7 +36,6 @@ assertThrows(function() { a.concat(a); }, RangeError);
var b = []; var b = [];
b[pow31 - 3] = 32; b[pow31 - 3] = 32;
b[pow31 - 2] = "out_of_bounds";
var ab = a.concat(b); var ab = a.concat(b);
assertEquals(2 * pow31 - 1, ab.length); assertEquals(2 * pow31 - 1, ab.length);
assertEquals(31, ab[pow31]); assertEquals(31, ab[pow31]);
......
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var i = Math.pow(2, 31);
var a = [];
a[i] = 31;
var b = [];
b[i - 2] = 33;
try {
// This is supposed to throw a RangeError.
var c = a.concat(b);
// If it didn't, ObservableSetLength will detect the problem.
Object.observe(c, function() {});
c.length = 1;
} catch(e) {
assertTrue(e instanceof RangeError);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment