[array] Fix bounds check in ArrayConcat

The recent change crrev.com/c/2712755 got a bounds check wrong, causing an invalid use of the lookup iterator. Bug: v8:1185072 Change-Id: I3138d266cb4b2482dcb5078fb025bbfc43dd2940 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742196 Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73250}

[array] Fix bounds check in ArrayConcat
The recent change crrev.com/c/2712755 got a bounds check wrong, causing an invalid use of the lookup iterator. Bug: v8:1185072 Change-Id: I3138d266cb4b2482dcb5078fb025bbfc43dd2940 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742196 Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#73250}
40f8b099 · Jakob Gruber · Commit Bot · 215a6c6e · 40f8b099 · 40f8b099
Commit 40f8b099 authored Mar 08, 2021 by Jakob Gruber Committed by Commit Bot Mar 08, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 1 deletion

builtins-array.cc src/builtins/builtins-array.cc +4 -1

lookup-inl.h src/objects/lookup-inl.h +1 -0

regress-1185072.js test/mjsunit/regress/regress-1185072.js +26 -0

No files found.
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -662,7 +662,10 @@ class ArrayConcatVisitor {
  V8_WARN_UNUSED_RESULT bool visit(uint32_t i, Handle<Object> elm) {
    uint32_t index = index_offset_ + i;

-    if (i > JSArray::kMaxArrayIndex - index_offset_) {
+    // Note we use >=kMaxArrayLength instead of the more appropriate
+    // >kMaxArrayIndex here due to overflowing arithmetic and
+    // increase_index_offset.
+    if (i >= JSArray::kMaxArrayLength - index_offset_) {
      set_exceeds_array_limit(true);
      // Exception hasn't been thrown at this point. Return true to
      // break out, and caller will throw. !visit would imply that

--- a/src/objects/lookup-inl.h
+++ b/src/objects/lookup-inl.h
@@ -85,6 +85,7 @@ LookupIterator::LookupIterator(Isolate* isolate, Handle<Object> receiver,
    }
    Start<true>();
  } else {
+    DCHECK(!name_.is_null());
    name_ = isolate->factory()->InternalizeName(name_);
 #ifdef DEBUG
    // Assert that the name is not an index.

--- a/test/mjsunit/regress/regress-1185072.js
+++ b/test/mjsunit/regress/regress-1185072.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __getProperties(obj) {
+  let properties = [];
+  for (let name of Object.getOwnPropertyNames(obj)) {
+    properties.push(name);
+  }
+  return properties;
+}
+function __getRandomProperty(obj, seed) {
+  let properties = __getProperties(obj);
+  return properties[seed % properties.length];
+}
+let __v_19 = [];
+class __c_0 extends Array {}
+Object.defineProperty(__v_19, 'constructor', {
+  get() {
+    return __c_0;
+  }
+});
+Object.defineProperty(__v_19, __getRandomProperty(__v_19, 776790), {
+  value: 4294967295
+});
+assertThrows(() => __v_19.concat([1])[9], RangeError);