Harden builtins BuildResultFromMatchInfo and URIDecodeOctets

R=yangguo@chromium.org Review URL: https://codereview.chromium.org/286203010 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21343 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Harden builtins BuildResultFromMatchInfo and URIDecodeOctets
R=yangguo@chromium.org Review URL: https://codereview.chromium.org/286203010 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21343 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
8407277c · jkummerow@chromium.org · 5843a335 · 8407277c · 8407277c · 8407277c
Commit 8407277c authored May 16, 2014 by jkummerow@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 18 deletions

hydrogen.cc src/hydrogen.cc +7 -5

regexp.js src/regexp.js +15 -12

uri.js src/uri.js +7 -0

generate-runtime-tests.py tools/generate-runtime-tests.py +1 -1

No files found.
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -1535,12 +1535,14 @@ HValue* HGraphBuilder::BuildRegExpConstructResult(HValue* length,
  // Compute the size of the RegExpResult followed by FixedArray with length.
  HValue* size = length;
-  size = AddUncasted<HShl>(size, Add<HConstant>(kPointerSizeLog2));
+  // Make sure size does not exceed max regular heap object size.
-  size = AddUncasted<HAdd>(size, Add<HConstant>(static_cast<int32_t>(
+  const int kHeaderSize = JSRegExpResult::kSize + FixedArray::kHeaderSize;
-              JSRegExpResult::kSize + FixedArray::kHeaderSize)));
+  const int kMaxLength =
+      (Page::kMaxRegularHeapObjectSize - kHeaderSize) >> kPointerSizeLog2;
+  Add<HBoundsCheck>(size, Add<HConstant>(kMaxLength));
-  // Make sure size does not exceeds max regular heap object size.
+  size = AddUncasted<HShl>(size, Add<HConstant>(kPointerSizeLog2));
-  Add<HBoundsCheck>(size, Add<HConstant>(Page::kMaxRegularHeapObjectSize));
+  size = AddUncasted<HAdd>(size, Add<HConstant>(kHeaderSize));
  // Allocate the JSRegExpResult and the FixedArray in one step.
  HValue* result = Add<HAllocate>(

--- a/src/regexp.js
+++ b/src/regexp.js
@@ -108,23 +108,26 @@ function DoRegExpExec(regexp, string, index) {
 }
-function BuildResultFromMatchInfo(lastMatchInfo, s) {
+// This is kind of performance sensitive, so we want to avoid unnecessary
-  var numResults = NUMBER_OF_CAPTURES(lastMatchInfo) >> 1;
+// type checks on inputs. But we also don't want to inline it several times
-  var start = lastMatchInfo[CAPTURE0];
+// manually, so we use a macro :-)
-  var end = lastMatchInfo[CAPTURE1];
+macro RETURN_NEW_RESULT_FROM_MATCH_INFO(MATCHINFO, STRING)
-  var result = %_RegExpConstructResult(numResults, start, s);
+  var numResults = NUMBER_OF_CAPTURES(MATCHINFO) >> 1;
-  result[0] = %_SubString(s, start, end);
+  var start = MATCHINFO[CAPTURE0];
+  var end = MATCHINFO[CAPTURE1];
+  var result = %_RegExpConstructResult(numResults, start, STRING);
+  result[0] = %_SubString(STRING, start, end);
  var j = REGEXP_FIRST_CAPTURE + 2;
  for (var i = 1; i < numResults; i++) {
-    start = lastMatchInfo[j++];
+    start = MATCHINFO[j++];
    if (start != -1) {
-      end = lastMatchInfo[j];
+      end = MATCHINFO[j];
-      result[i] = %_SubString(s, start, end);
+      result[i] = %_SubString(STRING, start, end);
    }
    j++;
  }
  return result;
-}
+endmacro
 function RegExpExecNoTests(regexp, string, start) {
@@ -132,7 +135,7 @@ function RegExpExecNoTests(regexp, string, start) {
  var matchInfo = %_RegExpExec(regexp, string, start, lastMatchInfo);
  if (matchInfo !== null) {
    lastMatchInfoOverride = null;
-    return BuildResultFromMatchInfo(matchInfo, string);
+    RETURN_NEW_RESULT_FROM_MATCH_INFO(matchInfo, string);
  }
  regexp.lastIndex = 0;
  return null;
@@ -175,7 +178,7 @@ function RegExpExec(string) {
  if (global) {
    this.lastIndex = lastMatchInfo[CAPTURE1];
  }
-  return BuildResultFromMatchInfo(matchIndices, string);
+  RETURN_NEW_RESULT_FROM_MATCH_INFO(matchIndices, string);
 }

--- a/src/uri.js
+++ b/src/uri.js
@@ -84,6 +84,7 @@ function URIHexCharsToCharCode(highChar, lowChar) {
 function URIDecodeOctets(octets, result, index) {
+  if (!IS_STRING(result)) throw new $URIError("Internal error");
  var value;
  var o0 = octets[0];
  if (o0 < 0x80) {
@@ -148,9 +149,15 @@ function URIDecodeOctets(octets, result, index) {
    throw new $URIError("URI malformed");
  }
  if (value < 0x10000) {
+    if (index < 0 || index >= result.length) {
+      throw new $URIError("Internal error");
+    }
    %_TwoByteSeqStringSetChar(result, index++, value);
    return index;
  } else {
+    if (index < 0 || index >= result.length - 1) {
+      throw new $URIError("Internal error");
+    }
    %_TwoByteSeqStringSetChar(result, index++, (value >> 10) + 0xd7c0);
    %_TwoByteSeqStringSetChar(result, index++, (value & 0x3ff) + 0xdc00);
    return index;

--- a/tools/generate-runtime-tests.py
+++ b/tools/generate-runtime-tests.py
@@ -51,7 +51,7 @@ EXPECTED_FUNCTION_COUNT = 362
 EXPECTED_FUZZABLE_COUNT = 329
 EXPECTED_CCTEST_COUNT = 6
 EXPECTED_UNKNOWN_COUNT = 5
-EXPECTED_BUILTINS_COUNT = 827
+EXPECTED_BUILTINS_COUNT = 826
 # Don't call these at all.