Commit 75eab984 authored by Simon Zünd's avatar Simon Zünd Committed by Commit Bot

Throw OOM when allocating uninitialized FixedArrays with negative length

This CL fixes a negative capacity check up the call-chain to fix an
issue found a clusterfuzz. This is temporary since mid-term we want to
change the interface of allocation functions to take an unsigned C++
type, so implicit conversion errors like this one, can't happen.

Fixed: chromium:1041240
Change-Id: Ib344e5738d2648fbf9a2951ca943ff566ddd5f09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000134Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65746}
parent 9ab99f29
......@@ -486,8 +486,10 @@ Handle<FixedArray> Factory::NewFixedArrayWithHoles(int length,
}
Handle<FixedArray> Factory::NewUninitializedFixedArray(int length) {
DCHECK_LE(0, length);
if (length == 0) return empty_fixed_array();
if (length < 0 || length > FixedArray::kMaxLength) {
isolate()->heap()->FatalProcessOutOfMemory("invalid array length");
}
// TODO(ulan): As an experiment this temporarily returns an initialized fixed
// array. After getting canary/performance coverage, either remove the
......
......@@ -211,6 +211,7 @@ v8_source_set("unittests_sources") {
"parser/ast-value-unittest.cc",
"parser/preparser-unittest.cc",
"profiler/strings-storage-unittest.cc",
"regress/regress-crbug-1041240-unittest.cc",
"regress/regress-crbug-938251-unittest.cc",
"run-all-unittests.cc",
"strings/char-predicates-unittest.cc",
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "src/execution/isolate.h"
#include "src/heap/factory.h"
#include "test/unittests/test-utils.h"
namespace v8 {
namespace internal {
using NewUninitializedFixedArrayTest = TestWithIsolateAndZone;
TEST_F(NewUninitializedFixedArrayTest, ThrowOnNegativeLength) {
ASSERT_DEATH_IF_SUPPORTED({ factory()->NewUninitializedFixedArray(-1); },
"Fatal javascript OOM in invalid array length");
}
} // namespace internal
} // namespace v8
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment