[es2015] Clear JSTypedArray raw fields in the constructor.

The JSTypedArray instance is created early on in the TypedArray constructors, using EmitFastNewObject, which puts Undefined into all slots. But the code might still produce an exception afterwards leaving the JSTypedArray in a weird state. It's not a security issue since the object doesn't escape, but it confuses the heap verifier. Bug: chromium:885404, v8:4153, v8:7881, v8:8171 Change-Id: I5fb8131fcae69edf4a92602ed477dca305c3d6c7 Reviewed-on: https://chromium-review.googlesource.com/1233257 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#56019}

[es2015] Clear JSTypedArray raw fields in the constructor.
The JSTypedArray instance is created early on in the TypedArray constructors, using EmitFastNewObject, which puts Undefined into all slots. But the code might still produce an exception afterwards leaving the JSTypedArray in a weird state. It's not a security issue since the object doesn't escape, but it confuses the heap verifier. Bug: chromium:885404, v8:4153, v8:7881, v8:8171 Change-Id: I5fb8131fcae69edf4a92602ed477dca305c3d6c7 Reviewed-on: https://chromium-review.googlesource.com/1233257 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#56019}
984048e8 · Benedikt Meurer · Commit Bot · 44e77f8d · 984048e8 · 984048e8
Commit 984048e8 authored Sep 19, 2018 by Benedikt Meurer Committed by Commit Bot Sep 19, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

builtins-typed-array-gen.cc src/builtins/builtins-typed-array-gen.cc +11 -0

regress-crbug-885404.js test/mjsunit/regress/regress-crbug-885404.js +11 -0

No files found.
--- a/src/builtins/builtins-typed-array-gen.cc
+++ b/src/builtins/builtins-typed-array-gen.cc
@@ -681,6 +681,17 @@ TF_BUILTIN(CreateTypedArray, TypedArrayBuiltinsAssembler) {
  ConstructorBuiltinsAssembler constructor_assembler(this->state());
  TNode<JSTypedArray> result = CAST(
      constructor_assembler.EmitFastNewObject(context, target, new_target));
+  // We need to set the byte_offset / byte_length to some sane values
+  // to keep the heap verifier happy.
+  // TODO(bmeurer): Fix this initialization to not use EmitFastNewObject,
+  // which causes the problem, since it puts Undefined into all slots of
+  // the object even though that doesn't make any sense for these fields.
+  StoreObjectFieldNoWriteBarrier(result, JSTypedArray::kByteOffsetOffset,
+                                 UintPtrConstant(0),
+                                 MachineType::PointerRepresentation());
+  StoreObjectFieldNoWriteBarrier(result, JSTypedArray::kByteLengthOffset,
+                                 UintPtrConstant(0),
+                                 MachineType::PointerRepresentation());

  TNode<Smi> element_size =
      SmiTag(GetTypedArrayElementSize(LoadElementsKind(result)));

--- a/test/mjsunit/regress/regress-crbug-885404.js
+++ b/test/mjsunit/regress/regress-crbug-885404.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --verify-heap --expose-gc
+
+var ab = new ArrayBuffer(2);
+try { new Int32Array(ab); } catch (e) { }
+assertEquals(2, ab.byteLength);
+gc();
+assertEquals(2, ab.byteLength);