More runtime hardening

R=dslomov@chromium.org Review URL: https://codereview.chromium.org/256293002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21039 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

More runtime hardening
R=dslomov@chromium.org Review URL: https://codereview.chromium.org/256293002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21039 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
c16a83af · jkummerow@chromium.org · 55342170 · c16a83af
Commit c16a83af authored Apr 29, 2014 by jkummerow@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 6 deletions

runtime.cc src/runtime.cc +18 -6

No files found.
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -2768,6 +2768,9 @@ RUNTIME_FUNCTION(Runtime_FinishArrayPrototypeSetup) {
  HandleScope scope(isolate);
  ASSERT(args.length() == 1);
  CONVERT_ARG_HANDLE_CHECKED(JSArray, prototype, 0);
+  Object* length = prototype->length();
+  RUNTIME_ASSERT(length->IsSmi() && Smi::cast(length)->value() == 0);
+  RUNTIME_ASSERT(prototype->HasFastSmiOrObjectElements());
  // This is necessary to enable fast checks for absence of elements
  // on Array.prototype and below.
  prototype->set_elements(isolate->heap()->empty_fixed_array());
@@ -3091,6 +3094,7 @@ RUNTIME_FUNCTION(Runtime_SetCode) {
  Handle<SharedFunctionInfo> target_shared(target->shared());
  Handle<SharedFunctionInfo> source_shared(source->shared());
+  RUNTIME_ASSERT(!source_shared->bound());
  if (!Compiler::EnsureCompiled(source, KEEP_EXCEPTION)) {
    return isolate->heap()->exception();
@@ -6326,6 +6330,7 @@ RUNTIME_FUNCTION(Runtime_TruncateString) {
  ASSERT(args.length() == 2);
  CONVERT_ARG_HANDLE_CHECKED(SeqString, string, 0);
  CONVERT_SMI_ARG_CHECKED(new_length, 1);
+  RUNTIME_ASSERT(new_length >= 0);
  return *SeqString::Truncate(string, new_length);
 }
@@ -6771,6 +6776,7 @@ RUNTIME_FUNCTION(Runtime_StringSplit) {
  CONVERT_ARG_HANDLE_CHECKED(String, subject, 0);
  CONVERT_ARG_HANDLE_CHECKED(String, pattern, 1);
  CONVERT_NUMBER_CHECKED(uint32_t, limit, Uint32, args[2]);
+  RUNTIME_ASSERT(limit > 0);
  int subject_length = subject->length();
  int pattern_length = pattern->length();
@@ -7204,7 +7210,6 @@ static inline int StringBuilderConcatLength(int special_length,
        *one_byte = false;
      }
    } else {
-      ASSERT(!elt->IsTheHole());
      return -1;
    }
    if (increment > String::kMaxLength - position) {
@@ -7233,6 +7238,7 @@ RUNTIME_FUNCTION(Runtime_StringBuilderConcat) {
  // This assumption is used by the slice encoding in one or two smis.
  ASSERT(Smi::kMaxValue >= String::kMaxLength);
+  RUNTIME_ASSERT(array->HasFastElements());
  JSObject::EnsureCanContainHeapObjectElements(array);
  int special_length = special->length();
@@ -8202,10 +8208,10 @@ RUNTIME_FUNCTION(Runtime_FunctionBindArguments) {
      GetCallerArguments(isolate, 0, &argc);
  // Don't count the this-arg.
  if (argc > 0) {
-    ASSERT(*arguments[0] == args[2]);
+    RUNTIME_ASSERT(*arguments[0] == args[2]);
    argc--;
  } else {
-    ASSERT(args[2]->IsUndefined());
+    RUNTIME_ASSERT(args[2]->IsUndefined());
  }
  // Initialize array of bindings (function, this, and any existing arguments
  // if the function was already bound).
@@ -8214,6 +8220,7 @@ RUNTIME_FUNCTION(Runtime_FunctionBindArguments) {
  if (bindee->IsJSFunction() && JSFunction::cast(*bindee)->shared()->bound()) {
    Handle<FixedArray> old_bindings(
        JSFunction::cast(*bindee)->function_bindings());
+    RUNTIME_ASSERT(old_bindings->length() > JSFunction::kBoundFunctionIndex);
    new_bindings =
        isolate->factory()->NewFixedArray(old_bindings->length() + argc);
    bindee = Handle<Object>(old_bindings->get(JSFunction::kBoundFunctionIndex),
@@ -8256,7 +8263,7 @@ RUNTIME_FUNCTION(Runtime_BoundFunctionGetBindings) {
    Handle<JSFunction> function = Handle<JSFunction>::cast(callable);
    if (function->shared()->bound()) {
      Handle<FixedArray> bindings(function->function_bindings());
-      ASSERT(bindings->map() == isolate->heap()->fixed_cow_array_map());
+      RUNTIME_ASSERT(bindings->map() == isolate->heap()->fixed_cow_array_map());
      return *isolate->factory()->NewJSArrayWithElements(bindings);
    }
  }
@@ -8617,6 +8624,7 @@ RUNTIME_FUNCTION(Runtime_RunningInSimulator) {
 RUNTIME_FUNCTION(Runtime_IsConcurrentRecompilationSupported) {
  SealHandleScope shs(isolate);
+  ASSERT(args.length() == 0);
  return isolate->heap()->ToBoolean(
      isolate->concurrent_recompilation_enabled());
 }
@@ -9662,6 +9670,7 @@ RUNTIME_FUNCTION(Runtime_DateParseString) {
  CONVERT_ARG_HANDLE_CHECKED(String, str, 0);
  CONVERT_ARG_HANDLE_CHECKED(JSArray, output, 1);
+  RUNTIME_ASSERT(output->HasFastElements());
  JSObject::EnsureCanContainHeapObjectElements(output);
  RUNTIME_ASSERT(output->HasFastObjectElements());
  Handle<FixedArray> output_array(FixedArray::cast(output->elements()));
@@ -14541,12 +14550,15 @@ RUNTIME_FUNCTION(Runtime_LoadMutableDouble) {
  CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
  CONVERT_ARG_HANDLE_CHECKED(Smi, index, 1);
  int idx = index->value() >> 1;
+  int inobject_properties = object->map()->inobject_properties();
  if (idx < 0) {
-    idx = -idx + object->map()->inobject_properties() - 1;
+    idx = -idx + inobject_properties - 1;
  }
+  int max_idx = object->properties()->length() + inobject_properties;
+  RUNTIME_ASSERT(idx < max_idx);
  Handle<Object> raw_value(object->RawFastPropertyAt(idx), isolate);
  RUNTIME_ASSERT(raw_value->IsNumber() || raw_value->IsUninitialized());
-  return *JSObject::FastPropertyAt(object, Representation::Double(), idx);
+  return *Object::NewStorageFor(isolate, raw_value, Representation::Double());
 }