Commit 4f51af6d authored by Victor Gomes's avatar Victor Gomes Committed by V8 LUCI CQ

[runtime] TryFastArrayFill can throw exception

Bug: chromium:1206994, chromium:1206754, chromium:1206822
Change-Id: I8ccd501c5a918613fad59afdd65ca499ee57d7a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882805
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74500}
parent 91cfbda6
...@@ -208,16 +208,16 @@ V8_WARN_UNUSED_RESULT Object GenericArrayFill(Isolate* isolate, ...@@ -208,16 +208,16 @@ V8_WARN_UNUSED_RESULT Object GenericArrayFill(Isolate* isolate,
return *receiver; return *receiver;
} }
V8_WARN_UNUSED_RESULT bool TryFastArrayFill( V8_WARN_UNUSED_RESULT Maybe<bool> TryFastArrayFill(
Isolate* isolate, BuiltinArguments* args, Handle<JSReceiver> receiver, Isolate* isolate, BuiltinArguments* args, Handle<JSReceiver> receiver,
Handle<Object> value, double start_index, double end_index) { Handle<Object> value, double start_index, double end_index) {
// If indices are too large, use generic path since they are stored as // If indices are too large, use generic path since they are stored as
// properties, not in the element backing store. // properties, not in the element backing store.
if (end_index > kMaxUInt32) return false; if (end_index > kMaxUInt32) return Just(false);
if (!receiver->IsJSObject()) return false; if (!receiver->IsJSObject()) return Just(false);
if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, args, 1, 1)) { if (!EnsureJSArrayWithWritableFastElements(isolate, receiver, args, 1, 1)) {
return false; return Just(false);
} }
Handle<JSArray> array = Handle<JSArray>::cast(receiver); Handle<JSArray> array = Handle<JSArray>::cast(receiver);
...@@ -241,14 +241,14 @@ V8_WARN_UNUSED_RESULT bool TryFastArrayFill( ...@@ -241,14 +241,14 @@ V8_WARN_UNUSED_RESULT bool TryFastArrayFill(
CHECK(DoubleToUint32IfEqualToSelf(end_index, &end)); CHECK(DoubleToUint32IfEqualToSelf(end_index, &end));
ElementsAccessor* accessor = array->GetElementsAccessor(); ElementsAccessor* accessor = array->GetElementsAccessor();
accessor->Fill(array, value, start, end); RETURN_ON_EXCEPTION_VALUE(isolate, accessor->Fill(array, value, start, end),
return true; Nothing<bool>());
return Just(true);
} }
} // namespace } // namespace
BUILTIN(ArrayPrototypeFill) { BUILTIN(ArrayPrototypeFill) {
HandleScope scope(isolate); HandleScope scope(isolate);
if (isolate->debug_execution_mode() == DebugInfo::kSideEffects) { if (isolate->debug_execution_mode() == DebugInfo::kSideEffects) {
if (!isolate->debug()->PerformSideEffectCheckForObject(args.receiver())) { if (!isolate->debug()->PerformSideEffectCheckForObject(args.receiver())) {
return ReadOnlyRoots(isolate).exception(); return ReadOnlyRoots(isolate).exception();
...@@ -293,10 +293,12 @@ BUILTIN(ArrayPrototypeFill) { ...@@ -293,10 +293,12 @@ BUILTIN(ArrayPrototypeFill) {
Handle<Object> value = args.atOrUndefined(isolate, 1); Handle<Object> value = args.atOrUndefined(isolate, 1);
if (TryFastArrayFill(isolate, &args, receiver, value, start_index, bool success;
end_index)) { MAYBE_ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
return *receiver; isolate, success,
} TryFastArrayFill(isolate, &args, receiver, value, start_index,
end_index));
if (success) return *receiver;
return GenericArrayFill(isolate, receiver, value, start_index, end_index); return GenericArrayFill(isolate, receiver, value, start_index, end_index);
} }
......
...@@ -66,7 +66,7 @@ class ElementsAccessor { ...@@ -66,7 +66,7 @@ class ElementsAccessor {
// changing array sizes as defined in EcmaScript 5.1 15.4.5.2, i.e. array that // changing array sizes as defined in EcmaScript 5.1 15.4.5.2, i.e. array that
// have non-deletable elements can only be shrunk to the size of highest // have non-deletable elements can only be shrunk to the size of highest
// element that is non-deletable. // element that is non-deletable.
virtual Maybe<bool> SetLength(Handle<JSArray> holder, V8_WARN_UNUSED_RESULT virtual Maybe<bool> SetLength(Handle<JSArray> holder,
uint32_t new_length) = 0; uint32_t new_length) = 0;
// Copy all indices that have elements from |object| into the given // Copy all indices that have elements from |object| into the given
...@@ -97,13 +97,14 @@ class ElementsAccessor { ...@@ -97,13 +97,14 @@ class ElementsAccessor {
Handle<JSObject> receiver, KeyAccumulator* accumulator, Handle<JSObject> receiver, KeyAccumulator* accumulator,
AddKeyConversion convert) = 0; AddKeyConversion convert) = 0;
virtual Maybe<bool> TransitionElementsKind(Handle<JSObject> object, V8_WARN_UNUSED_RESULT virtual Maybe<bool> TransitionElementsKind(
Handle<Map> map) = 0; Handle<JSObject> object, Handle<Map> map) = 0;
virtual Maybe<bool> GrowCapacityAndConvert(Handle<JSObject> object, V8_WARN_UNUSED_RESULT virtual Maybe<bool> GrowCapacityAndConvert(
uint32_t capacity) = 0; Handle<JSObject> object, uint32_t capacity) = 0;
// Unlike GrowCapacityAndConvert do not attempt to convert the backing store // Unlike GrowCapacityAndConvert do not attempt to convert the backing store
// and simply return false in this case. // and simply return false in this case.
virtual Maybe<bool> GrowCapacity(Handle<JSObject> object, uint32_t index) = 0; V8_WARN_UNUSED_RESULT virtual Maybe<bool> GrowCapacity(
Handle<JSObject> object, uint32_t index) = 0;
static void InitializeOncePerProcess(); static void InitializeOncePerProcess();
static void TearDown(); static void TearDown();
...@@ -111,30 +112,35 @@ class ElementsAccessor { ...@@ -111,30 +112,35 @@ class ElementsAccessor {
virtual void Set(Handle<JSObject> holder, InternalIndex entry, virtual void Set(Handle<JSObject> holder, InternalIndex entry,
Object value) = 0; Object value) = 0;
virtual Maybe<bool> Add(Handle<JSObject> object, uint32_t index, V8_WARN_UNUSED_RESULT virtual Maybe<bool> Add(Handle<JSObject> object,
Handle<Object> value, PropertyAttributes attributes, uint32_t index,
Handle<Object> value,
PropertyAttributes attributes,
uint32_t new_capacity) = 0; uint32_t new_capacity) = 0;
static Handle<JSArray> Concat(Isolate* isolate, BuiltinArguments* args, static Handle<JSArray> Concat(Isolate* isolate, BuiltinArguments* args,
uint32_t concat_size, uint32_t result_length); uint32_t concat_size, uint32_t result_length);
virtual Maybe<uint32_t> Push(Handle<JSArray> receiver, BuiltinArguments* args, V8_WARN_UNUSED_RESULT virtual Maybe<uint32_t> Push(Handle<JSArray> receiver,
BuiltinArguments* args,
uint32_t push_size) = 0; uint32_t push_size) = 0;
virtual Maybe<uint32_t> Unshift(Handle<JSArray> receiver, V8_WARN_UNUSED_RESULT virtual Maybe<uint32_t> Unshift(
BuiltinArguments* args, Handle<JSArray> receiver, BuiltinArguments* args,
uint32_t unshift_size) = 0; uint32_t unshift_size) = 0;
virtual MaybeHandle<Object> Pop(Handle<JSArray> receiver) = 0; V8_WARN_UNUSED_RESULT virtual MaybeHandle<Object> Pop(
Handle<JSArray> receiver) = 0;
virtual MaybeHandle<Object> Shift(Handle<JSArray> receiver) = 0; V8_WARN_UNUSED_RESULT virtual MaybeHandle<Object> Shift(
Handle<JSArray> receiver) = 0;
virtual Handle<NumberDictionary> Normalize(Handle<JSObject> object) = 0; virtual Handle<NumberDictionary> Normalize(Handle<JSObject> object) = 0;
virtual size_t GetCapacity(JSObject holder, FixedArrayBase backing_store) = 0; virtual size_t GetCapacity(JSObject holder, FixedArrayBase backing_store) = 0;
virtual MaybeHandle<Object> Fill(Handle<JSObject> receiver, V8_WARN_UNUSED_RESULT virtual MaybeHandle<Object> Fill(
Handle<Object> obj_value, size_t start, Handle<JSObject> receiver, Handle<Object> obj_value, size_t start,
size_t end) = 0; size_t end) = 0;
// Check an Object's own elements for an element (using SameValueZero // Check an Object's own elements for an element (using SameValueZero
......
...@@ -5781,7 +5781,7 @@ TEST(Regress598319) { ...@@ -5781,7 +5781,7 @@ TEST(Regress598319) {
v8::HandleScope scope(CcTest::isolate()); v8::HandleScope scope(CcTest::isolate());
Handle<JSArray> js_array = isolate->factory()->NewJSArrayWithElements( Handle<JSArray> js_array = isolate->factory()->NewJSArrayWithElements(
Handle<FixedArray>(arr.get(), isolate)); Handle<FixedArray>(arr.get(), isolate));
js_array->GetElementsAccessor()->Shift(js_array); js_array->GetElementsAccessor()->Shift(js_array).Check();
} }
break; break;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment