[typedarray] Use slow case more aggressively in CopyElementsHandleImpl

Change-Id: If133fe47a086ed273446ee7e8f8af85bf9fc8389 Reviewed-on: https://chromium-review.googlesource.com/1108203 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53921}

[typedarray] Use slow case more aggressively in CopyElementsHandleImpl
Change-Id: If133fe47a086ed273446ee7e8f8af85bf9fc8389 Reviewed-on: https://chromium-review.googlesource.com/1108203 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53921}
bededee4 · Peter Marshall · Commit Bot · b8cf9627 · bededee4 · bededee4
Commit bededee4 authored Jun 21, 2018 by Peter Marshall Committed by Commit Bot Jun 21, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 5 deletions

elements.cc src/elements.cc +21 -4

regress-854066-2.js test/mjsunit/regress/regress-854066-2.js +14 -0

regress-854066.js test/mjsunit/regress/regress-854066.js +1 -1

No files found.
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -3408,6 +3408,16 @@ class TypedElementsAccessor
    DisallowHeapAllocation no_gc;
    DisallowJavascriptExecution no_js(isolate);

+    size_t current_length;
+    DCHECK(source->length()->IsNumber() &&
+           TryNumberToSize(source->length(), &current_length) &&
+           length <= current_length);
+    USE(current_length);
+
+    size_t dest_length = destination->length_value();
+    DCHECK(length + offset <= dest_length);
+    USE(dest_length);
+
    ElementsKind kind = source->GetElementsKind();
    BackingStore* dest = BackingStore::cast(destination->elements());

@@ -3553,10 +3563,17 @@ class TypedElementsAccessor

    // Fast cases for packed numbers kinds where we don't need to allocate.
    if (source->IsJSArray()) {
-      Handle<JSArray> source_array = Handle<JSArray>::cast(source);
-      if (TryCopyElementsFastNumber(isolate->context(), *source_array,
-                                    *destination_ta, length, offset)) {
-        return *isolate->factory()->undefined_value();
+      Handle<JSArray> source_js_array = Handle<JSArray>::cast(source);
+      size_t current_length;
+      if (source_js_array->length()->IsNumber() &&
+          TryNumberToSize(source_js_array->length(), &current_length)) {
+        if (length <= current_length) {
+          Handle<JSArray> source_array = Handle<JSArray>::cast(source);
+          if (TryCopyElementsFastNumber(isolate->context(), *source_array,
+                                        *destination_ta, length, offset)) {
+            return *isolate->factory()->undefined_value();
+          }
+        }
      }
    }
    // Final generic case that handles prototype chain lookups, getters, proxies

--- a/test/mjsunit/regress/regress-854066-2.js
+++ b/test/mjsunit/regress/regress-854066-2.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+oobArray = [];
+delete oobArray.__proto__[Symbol.iterator];
+for (let i = 0; i < 1e5; ++i) {
+  oobArray[i] = 1.1;
+}
+floatArray = new Float64Array(oobArray.length);
+Float64Array.from.call(function(length) {
+  oobArray.length = 0;
+  return floatArray;
+}, oobArray);
--- a/test/mjsunit/regress/regress-854066.js
+++ b/test/mjsunit/regress/regress-854066.js
@@ -3,7 +3,7 @@
 // found in the LICENSE file.

 oobArray = [];
-for (let i = 0; i < 1024 * 1024; ++i) {
+for (let i = 0; i < 1e5; ++i) {
  oobArray[i] = 1.1;
 }
 floatArray = new Float64Array(oobArray.length);