Commit 633910e6 authored by Camillo Bruni's avatar Camillo Bruni Committed by Commit Bot

[CSA] Add bounds check for indexed loads and stores

Change-Id: I9d8b13df0af987d9fcacdf57f2cfd71ec21b3ff9
Reviewed-on: https://chromium-review.googlesource.com/1042708
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53013}
parent dcbd5234
......@@ -883,12 +883,12 @@ TF_BUILTIN(TypedArrayStoreElementFromTagged, TypedArrayBuiltinsAssembler) {
TNode<Smi> index_node = CAST(Parameter(Descriptor::kIndex));
TNode<Object> value = CAST(Parameter(Descriptor::kValue));
TNode<RawPtrT> data_pointer = UncheckedCast<RawPtrT>(LoadDataPtr(array));
TNode<FixedTypedArrayBase> elements = CAST(LoadElements(array));
TNode<Int32T> elements_kind = SmiToInt32(kind);
DispatchTypedArrayByElementsKind(
elements_kind, [&](ElementsKind el_kind, int, int) {
StoreFixedTypedArrayElementFromTagged(context, data_pointer, index_node,
StoreFixedTypedArrayElementFromTagged(context, elements, index_node,
value, el_kind, SMI_PARAMETERS);
});
Return(UndefinedConstant());
......
This diff is collapsed.
......@@ -678,7 +678,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
// Load an array element from a FixedArray / WeakFixedArray.
TNode<MaybeObject> LoadArrayElement(
SloppyTNode<Object> object, int array_header_size, Node* index,
SloppyTNode<HeapObject> object, int array_header_size, Node* index,
int additional_offset = 0,
ParameterMode parameter_mode = INTPTR_PARAMETERS,
LoadSensitivity needs_poisoning = LoadSensitivity::kSafe);
......@@ -746,6 +746,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
Node* object, Node* index, int additional_offset = 0,
ParameterMode parameter_mode = INTPTR_PARAMETERS);
TNode<IntPtrT> LoadFeedbackVectorLength(TNode<FeedbackVector>);
// Load Float64 value by |base| + |offset| address. If the value is a double
// hole then jump to |if_hole|. If |machine_type| is None then only the hole
// check is generated.
......@@ -762,11 +764,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
Node* LoadFixedBigUint64ArrayElementAsTagged(Node* data_pointer,
Node* offset);
void StoreFixedTypedArrayElementFromTagged(TNode<Context> context,
TNode<RawPtrT> data_pointer,
TNode<Object> index_node,
TNode<Object> value,
ElementsKind elements_kind,
void StoreFixedTypedArrayElementFromTagged(
TNode<Context> context, TNode<FixedTypedArrayBase> elements,
TNode<Object> index_node, TNode<Object> value, ElementsKind elements_kind,
ParameterMode parameter_mode);
// Context manipulation
......@@ -2046,7 +2046,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
TNode<Context> context,
Label* opt_if_neutered);
// Part of the above, refactored out to reuse in another place
void EmitBigTypedArrayElementStore(TNode<RawPtrT> backing_store,
void EmitBigTypedArrayElementStore(TNode<FixedTypedArrayBase> elements,
TNode<RawPtrT> backing_store,
TNode<IntPtrT> offset,
TNode<BigInt> bigint_value);
......@@ -2220,6 +2221,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
TNode<IntPtrT> ElementOffsetFromIndex(Node* index, ElementsKind kind,
ParameterMode mode, int base_size = 0);
// Check that a field offset is within the bounds of the an object.
TNode<BoolT> IsOffsetInBounds(SloppyTNode<IntPtrT> offset,
SloppyTNode<IntPtrT> length, int header_size,
ElementsKind kind = HOLEY_ELEMENTS);
// Load a builtin's code from the builtin array in the isolate.
TNode<Code> LoadBuiltin(TNode<Smi> builtin_id);
......
......@@ -2462,8 +2462,7 @@ IGNITION_HANDLER(GetTemplateObject, InterpreterAssembler) {
Node* context = GetContext();
Node* result =
CallRuntime(Runtime::kCreateTemplateObject, context, description);
StoreFeedbackVectorSlot(feedback_vector, slot, result, UPDATE_WRITE_BARRIER,
0, INTPTR_PARAMETERS);
StoreFeedbackVectorSlot(feedback_vector, slot, result);
SetAccumulator(result);
Dispatch();
}
......
......@@ -17138,6 +17138,7 @@ void MakeStringThin(String* string, String* internalized, Isolate* isolate) {
} // namespace
// static
Handle<String> StringTable::LookupString(Isolate* isolate,
Handle<String> string) {
string = String::Flatten(string);
......@@ -17171,6 +17172,7 @@ Handle<String> StringTable::LookupString(Isolate* isolate,
return result;
}
// static
Handle<String> StringTable::LookupKey(Isolate* isolate, StringTableKey* key) {
Handle<StringTable> table = isolate->factory()->string_table();
int entry = table->FindEntry(key);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment