Commit 633910e6 authored by Camillo Bruni's avatar Camillo Bruni Committed by Commit Bot

[CSA] Add bounds check for indexed loads and stores

Change-Id: I9d8b13df0af987d9fcacdf57f2cfd71ec21b3ff9
Reviewed-on: https://chromium-review.googlesource.com/1042708
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53013}
parent dcbd5234
...@@ -883,12 +883,12 @@ TF_BUILTIN(TypedArrayStoreElementFromTagged, TypedArrayBuiltinsAssembler) { ...@@ -883,12 +883,12 @@ TF_BUILTIN(TypedArrayStoreElementFromTagged, TypedArrayBuiltinsAssembler) {
TNode<Smi> index_node = CAST(Parameter(Descriptor::kIndex)); TNode<Smi> index_node = CAST(Parameter(Descriptor::kIndex));
TNode<Object> value = CAST(Parameter(Descriptor::kValue)); TNode<Object> value = CAST(Parameter(Descriptor::kValue));
TNode<RawPtrT> data_pointer = UncheckedCast<RawPtrT>(LoadDataPtr(array)); TNode<FixedTypedArrayBase> elements = CAST(LoadElements(array));
TNode<Int32T> elements_kind = SmiToInt32(kind); TNode<Int32T> elements_kind = SmiToInt32(kind);
DispatchTypedArrayByElementsKind( DispatchTypedArrayByElementsKind(
elements_kind, [&](ElementsKind el_kind, int, int) { elements_kind, [&](ElementsKind el_kind, int, int) {
StoreFixedTypedArrayElementFromTagged(context, data_pointer, index_node, StoreFixedTypedArrayElementFromTagged(context, elements, index_node,
value, el_kind, SMI_PARAMETERS); value, el_kind, SMI_PARAMETERS);
}); });
Return(UndefinedConstant()); Return(UndefinedConstant());
......
This diff is collapsed.
...@@ -678,7 +678,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { ...@@ -678,7 +678,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
// Load an array element from a FixedArray / WeakFixedArray. // Load an array element from a FixedArray / WeakFixedArray.
TNode<MaybeObject> LoadArrayElement( TNode<MaybeObject> LoadArrayElement(
SloppyTNode<Object> object, int array_header_size, Node* index, SloppyTNode<HeapObject> object, int array_header_size, Node* index,
int additional_offset = 0, int additional_offset = 0,
ParameterMode parameter_mode = INTPTR_PARAMETERS, ParameterMode parameter_mode = INTPTR_PARAMETERS,
LoadSensitivity needs_poisoning = LoadSensitivity::kSafe); LoadSensitivity needs_poisoning = LoadSensitivity::kSafe);
...@@ -746,6 +746,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { ...@@ -746,6 +746,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
Node* object, Node* index, int additional_offset = 0, Node* object, Node* index, int additional_offset = 0,
ParameterMode parameter_mode = INTPTR_PARAMETERS); ParameterMode parameter_mode = INTPTR_PARAMETERS);
TNode<IntPtrT> LoadFeedbackVectorLength(TNode<FeedbackVector>);
// Load Float64 value by |base| + |offset| address. If the value is a double // Load Float64 value by |base| + |offset| address. If the value is a double
// hole then jump to |if_hole|. If |machine_type| is None then only the hole // hole then jump to |if_hole|. If |machine_type| is None then only the hole
// check is generated. // check is generated.
...@@ -762,12 +764,10 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { ...@@ -762,12 +764,10 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
Node* LoadFixedBigUint64ArrayElementAsTagged(Node* data_pointer, Node* LoadFixedBigUint64ArrayElementAsTagged(Node* data_pointer,
Node* offset); Node* offset);
void StoreFixedTypedArrayElementFromTagged(TNode<Context> context, void StoreFixedTypedArrayElementFromTagged(
TNode<RawPtrT> data_pointer, TNode<Context> context, TNode<FixedTypedArrayBase> elements,
TNode<Object> index_node, TNode<Object> index_node, TNode<Object> value, ElementsKind elements_kind,
TNode<Object> value, ParameterMode parameter_mode);
ElementsKind elements_kind,
ParameterMode parameter_mode);
// Context manipulation // Context manipulation
TNode<Object> LoadContextElement(SloppyTNode<Context> context, TNode<Object> LoadContextElement(SloppyTNode<Context> context,
...@@ -2046,7 +2046,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { ...@@ -2046,7 +2046,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
TNode<Context> context, TNode<Context> context,
Label* opt_if_neutered); Label* opt_if_neutered);
// Part of the above, refactored out to reuse in another place // Part of the above, refactored out to reuse in another place
void EmitBigTypedArrayElementStore(TNode<RawPtrT> backing_store, void EmitBigTypedArrayElementStore(TNode<FixedTypedArrayBase> elements,
TNode<RawPtrT> backing_store,
TNode<IntPtrT> offset, TNode<IntPtrT> offset,
TNode<BigInt> bigint_value); TNode<BigInt> bigint_value);
...@@ -2220,6 +2221,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler { ...@@ -2220,6 +2221,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
TNode<IntPtrT> ElementOffsetFromIndex(Node* index, ElementsKind kind, TNode<IntPtrT> ElementOffsetFromIndex(Node* index, ElementsKind kind,
ParameterMode mode, int base_size = 0); ParameterMode mode, int base_size = 0);
// Check that a field offset is within the bounds of the an object.
TNode<BoolT> IsOffsetInBounds(SloppyTNode<IntPtrT> offset,
SloppyTNode<IntPtrT> length, int header_size,
ElementsKind kind = HOLEY_ELEMENTS);
// Load a builtin's code from the builtin array in the isolate. // Load a builtin's code from the builtin array in the isolate.
TNode<Code> LoadBuiltin(TNode<Smi> builtin_id); TNode<Code> LoadBuiltin(TNode<Smi> builtin_id);
......
...@@ -2462,8 +2462,7 @@ IGNITION_HANDLER(GetTemplateObject, InterpreterAssembler) { ...@@ -2462,8 +2462,7 @@ IGNITION_HANDLER(GetTemplateObject, InterpreterAssembler) {
Node* context = GetContext(); Node* context = GetContext();
Node* result = Node* result =
CallRuntime(Runtime::kCreateTemplateObject, context, description); CallRuntime(Runtime::kCreateTemplateObject, context, description);
StoreFeedbackVectorSlot(feedback_vector, slot, result, UPDATE_WRITE_BARRIER, StoreFeedbackVectorSlot(feedback_vector, slot, result);
0, INTPTR_PARAMETERS);
SetAccumulator(result); SetAccumulator(result);
Dispatch(); Dispatch();
} }
......
...@@ -17138,6 +17138,7 @@ void MakeStringThin(String* string, String* internalized, Isolate* isolate) { ...@@ -17138,6 +17138,7 @@ void MakeStringThin(String* string, String* internalized, Isolate* isolate) {
} // namespace } // namespace
// static
Handle<String> StringTable::LookupString(Isolate* isolate, Handle<String> StringTable::LookupString(Isolate* isolate,
Handle<String> string) { Handle<String> string) {
string = String::Flatten(string); string = String::Flatten(string);
...@@ -17171,6 +17172,7 @@ Handle<String> StringTable::LookupString(Isolate* isolate, ...@@ -17171,6 +17172,7 @@ Handle<String> StringTable::LookupString(Isolate* isolate,
return result; return result;
} }
// static
Handle<String> StringTable::LookupKey(Isolate* isolate, StringTableKey* key) { Handle<String> StringTable::LookupKey(Isolate* isolate, StringTableKey* key) {
Handle<StringTable> table = isolate->factory()->string_table(); Handle<StringTable> table = isolate->factory()->string_table();
int entry = table->FindEntry(key); int entry = table->FindEntry(key);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment