Adding checks for the cases when array grows too big.

Review URL: http://codereview.chromium.org/601092 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3887 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Adding checks for the cases when array grows too big.
Review URL: http://codereview.chromium.org/601092 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3887 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
a3466441 · antonm@chromium.org · 1684b2d9 · a3466441 · a3466441 · a3466441
Commit a3466441 authored Feb 17, 2010 by antonm@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 0 deletions

builtins.cc src/builtins.cc +11 -0

array-splice.js test/mjsunit/array-splice.js +19 -0

array-unshift.js test/mjsunit/array-unshift.js +16 -0

No files found.
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -251,6 +251,9 @@ BUILTIN(ArrayPush) {
  if (to_add == 0) {
    return Smi::FromInt(len);
  }
+  // Currently fixed arrays cannot grow too big, so
+  // we should never hit this case.
+  ASSERT(to_add <= (Smi::kMaxValue - len));

  int new_length = len + to_add;
  FixedArray* elms = FixedArray::cast(array->elements());
@@ -370,6 +373,10 @@ BUILTIN(ArrayUnshift) {
  // the array.

  int new_length = len + to_add;
+  // Currently fixed arrays cannot grow too big, so
+  // we should never hit this case.
+  ASSERT(to_add <= (Smi::kMaxValue - len));
+
  FixedArray* elms = FixedArray::cast(array->elements());

  // Fetch the prototype.
@@ -614,6 +621,10 @@ BUILTIN(ArraySplice) {
      elms->set(k - 1, Heap::the_hole_value());
    }
  } else if (itemCount > actualDeleteCount) {
+    // Currently fixed arrays cannot grow too big, so
+    // we should never hit this case.
+    ASSERT((itemCount - actualDeleteCount) <= (Smi::kMaxValue - len));
+
    FixedArray* source_elms = elms;

    // Check if array need to grow.

--- a/test/mjsunit/array-splice.js
+++ b/test/mjsunit/array-splice.js
@@ -268,3 +268,22 @@
    assertFalse(array.hasOwnProperty(2 << 32 - 1));
  }
 })();
+
+
+// Check the behaviour when approaching maximal values for length.
+(function() {
+  for (var i = 0; i < 7; i++) {
+    try {
+      new Array((1 << 32) - 3).splice(-1, 0, 1, 2, 3, 4, 5);
+      throw 'Should have thrown RangeError';
+    } catch (e) {
+      assertTrue(e instanceof RangeError);
+    }
+
+    // Check smi boundary
+    var bigNum = (1 << 30) - 3;
+    var array = new Array(bigNum);
+    array.splice(-1, 0, 1, 2, 3, 4, 5, 6, 7);
+    assertEquals(bigNum + 7, array.length);
+  }
+})();
--- a/test/mjsunit/array-unshift.js
+++ b/test/mjsunit/array-unshift.js
@@ -114,3 +114,19 @@
  assertTrue(delete Array.prototype[5]);
  assertTrue(delete Array.prototype[7]);
 })();
+
+// Check the behaviour when approaching maximal values for length.
+(function() {
+  for (var i = 0; i < 7; i++) {
+    try {
+      new Array((1 << 32) - 3).unshift(1, 2, 3, 4, 5);
+      throw 'Should have thrown RangeError';
+    } catch (e) {
+      assertTrue(e instanceof RangeError);
+    }
+
+    // Check smi boundary
+    var bigNum = (1 << 30) - 3;
+    assertEquals(bigNum + 7, new Array(bigNum).unshift(1, 2, 3, 4, 5, 6, 7));
+  }
+})();