Commit 2222a9d6 authored by Mike Stanton's avatar Mike Stanton Committed by Commit Bot

[Builtins] Array.prototype.reduce missing length check

In the recent port of reduce() and reduceRight(), a check for a length
change during the loop (standard for iterating builtins) was omitted.

We did get array bounds check protection, however it didn't expose
the issue in our tests because the bounds check is against the
backing store length, not against the length in the referring JSArray.

Also added a test for reduceRight().

R=jgruber@chromium.org

Bug: chromium:937676
Change-Id: I76e22e0d71965bff84a0822b1df5dc818a00b50e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1503732Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60033}
parent 7103c194
...@@ -119,6 +119,9 @@ namespace array { ...@@ -119,6 +119,9 @@ namespace array {
for (let k: Smi = smiLen - 1; k >= 0; k--) { for (let k: Smi = smiLen - 1; k >= 0; k--) {
fastOW.Recheck() otherwise goto Bailout(k, accumulator); fastOW.Recheck() otherwise goto Bailout(k, accumulator);
// Ensure that we haven't walked beyond a possibly updated length.
if (k >= fastOW.Get().length) goto Bailout(k, accumulator);
const value: Object = fastOW.LoadElementNoHole(k) otherwise continue; const value: Object = fastOW.LoadElementNoHole(k) otherwise continue;
if (accumulator == Hole) { if (accumulator == Hole) {
accumulator = value; accumulator = value;
......
...@@ -118,6 +118,9 @@ namespace array { ...@@ -118,6 +118,9 @@ namespace array {
for (let k: Smi = 0; k < len; k++) { for (let k: Smi = 0; k < len; k++) {
fastOW.Recheck() otherwise goto Bailout(k, accumulator); fastOW.Recheck() otherwise goto Bailout(k, accumulator);
// Ensure that we haven't walked beyond a possibly updated length.
if (k >= fastOW.Get().length) goto Bailout(k, accumulator);
const value: Object = fastOW.LoadElementNoHole(k) otherwise continue; const value: Object = fastOW.LoadElementNoHole(k) otherwise continue;
if (accumulator == Hole) { if (accumulator == Hole) {
accumulator = value; accumulator = value;
......
...@@ -509,6 +509,13 @@ testReduce("reduce", "ArrayManipulationShort", 3, ...@@ -509,6 +509,13 @@ testReduce("reduce", "ArrayManipulationShort", 3,
[1, 2, 1, [1, 2], 3], [1, 2, 1, [1, 2], 3],
], arr, manipulator, 0); ], arr, manipulator, 0);
var arr = [1, 2, 3, 4];
testReduce("reduceRight", "RightArrayManipulationShort", 7,
[[0, 4, 3, [1, 2, 3, 4], 4],
[4, 2, 1, [1, 2], 6],
[6, 1, 0, [1], 7],
], arr, manipulator, 0);
var arr = [1, 2, 3, 4, 5]; var arr = [1, 2, 3, 4, 5];
testReduce("reduce", "ArrayManipulationLonger", 10, testReduce("reduce", "ArrayManipulationLonger", 10,
[[0, 1, 0, [1, 2, 3, 4, 5], 1], [[0, 1, 0, [1, 2, 3, 4, 5], 1],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment