Commit b6693635 authored by Frank Tang's avatar Frank Tang Committed by Commit Bot

[intl] Fix ubsan problem in Intl.Segmenter.

Cast to int32_t after checking the range.

Bug: v8:10921

Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng,v8_linux64_asan_rel_ng,v8_linux64_tsan_isolates_rel_ng,v8_linux64_msan_rel_ng,v8_linux64_tsan_rel_ng,v8_mac64_asan_rel_ng,v8_win64_asan_rel_ng,v8_linux64_gcc_compile_dbg,v8_linux_gcc_compile_rel,v8_linux_gcc_rel_ng,v8_linux64_gc_stress_custom_snapshot_dbg_ng,v8_linux_arm64_gc_stress_dbg_ng,v8_linux_gc_stress_dbg_ng,v8_mac64_gc_stress_dbg_ng;luci.chromium.try:linux_chromium_ubsan_rel_ng

Change-Id: I9c3631a2f3aa34bc9c87a6f40a2888b38832978c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2414622
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70008}
parent fa12fa73
...@@ -1034,8 +1034,8 @@ BUILTIN(SegmentsPrototypeContaining) { ...@@ -1034,8 +1034,8 @@ BUILTIN(SegmentsPrototypeContaining) {
Object::ToInteger(isolate, index)); Object::ToInteger(isolate, index));
double const n = index->Number(); double const n = index->Number();
RETURN_RESULT_OR_FAILURE( RETURN_RESULT_OR_FAILURE(isolate,
isolate, JSSegments::Containing(isolate, segments, static_cast<int>(n))); JSSegments::Containing(isolate, segments, n));
} }
// ecma402 #sec-%segmentsprototype%-@@iterator // ecma402 #sec-%segmentsprototype%-@@iterator
......
...@@ -60,15 +60,16 @@ MaybeHandle<JSSegments> JSSegments::Create(Isolate* isolate, ...@@ -60,15 +60,16 @@ MaybeHandle<JSSegments> JSSegments::Create(Isolate* isolate,
// ecma402 #sec-%segmentsprototype%.containing // ecma402 #sec-%segmentsprototype%.containing
MaybeHandle<Object> JSSegments::Containing(Isolate* isolate, MaybeHandle<Object> JSSegments::Containing(Isolate* isolate,
Handle<JSSegments> segments, Handle<JSSegments> segments,
int32_t n) { double n_double) {
// 5. Let len be the length of string. // 5. Let len be the length of string.
int32_t len = segments->unicode_string().raw()->length(); int32_t len = segments->unicode_string().raw()->length();
// 7. If n < 0 or n ≥ len, return undefined. // 7. If n < 0 or n ≥ len, return undefined.
if (n < 0 || n >= len) { if (n_double < 0 || n_double >= len) {
return isolate->factory()->undefined_value(); return isolate->factory()->undefined_value();
} }
int32_t n = static_cast<int32_t>(n_double);
// n may point to the surrogate tail- adjust it back to the lead. // n may point to the surrogate tail- adjust it back to the lead.
n = segments->unicode_string().raw()->getChar32Start(n); n = segments->unicode_string().raw()->getChar32Start(n);
......
...@@ -35,7 +35,7 @@ class JSSegments : public TorqueGeneratedJSSegments<JSSegments, JSObject> { ...@@ -35,7 +35,7 @@ class JSSegments : public TorqueGeneratedJSSegments<JSSegments, JSObject> {
// ecma402 #sec-%segmentsprototype%.containing // ecma402 #sec-%segmentsprototype%.containing
V8_WARN_UNUSED_RESULT static MaybeHandle<Object> Containing( V8_WARN_UNUSED_RESULT static MaybeHandle<Object> Containing(
Isolate* isolate, Handle<JSSegments> segments_holder, int32_t index); Isolate* isolate, Handle<JSSegments> segments_holder, double n);
// ecma402 #sec-createsegmentdataobject // ecma402 #sec-createsegmentdataobject
V8_WARN_UNUSED_RESULT static MaybeHandle<Object> CreateSegmentDataObject( V8_WARN_UNUSED_RESULT static MaybeHandle<Object> CreateSegmentDataObject(
......
...@@ -537,9 +537,6 @@ ...@@ -537,9 +537,6 @@
# http://crbug/v8/10844 # http://crbug/v8/10844
'intl402/NumberFormat/dft-currency-mnfd-range-check-mxfd': [FAIL], 'intl402/NumberFormat/dft-currency-mnfd-range-check-mxfd': [FAIL],
# http://crbug/v8/10921
'intl402/Segmenter/prototype/segment/containing/out-of-bound-index': [SKIP],
# https://bugs.chromium.org/p/v8/issues/detail?id=7831 # https://bugs.chromium.org/p/v8/issues/detail?id=7831
'language/statements/generators/generator-created-after-decl-inst': [FAIL], 'language/statements/generators/generator-created-after-decl-inst': [FAIL],
'language/expressions/generators/generator-created-after-decl-inst': [FAIL], 'language/expressions/generators/generator-created-after-decl-inst': [FAIL],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment