Harden yet more runtime functions

R=dslomov@chromium.org Review URL: https://codereview.chromium.org/270273005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21197 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Harden yet more runtime functions
R=dslomov@chromium.org Review URL: https://codereview.chromium.org/270273005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21197 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
c55cdb5e · jkummerow@chromium.org · 8999a006 · c55cdb5e · c55cdb5e · c55cdb5e
Commit c55cdb5e authored May 08, 2014 by jkummerow@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 55 additions and 28 deletions

debug.cc src/debug.cc +3 -3

debug.h src/debug.h +1 -1

liveedit.h src/liveedit.h +7 -3

runtime.cc src/runtime.cc +44 -21

No files found.
--- a/src/debug.cc
+++ b/src/debug.cc
@@ -1108,7 +1108,7 @@ Handle<DebugInfo> Debug::GetDebugInfo(Handle<SharedFunctionInfo> shared) {
 }


-void Debug::SetBreakPoint(Handle<JSFunction> function,
+bool Debug::SetBreakPoint(Handle<JSFunction> function,
                          Handle<Object> break_point_object,
                          int* source_position) {
  HandleScope scope(isolate_);
@@ -1119,7 +1119,7 @@ void Debug::SetBreakPoint(Handle<JSFunction> function,
  Handle<SharedFunctionInfo> shared(function->shared());
  if (!EnsureDebugInfo(shared, function)) {
    // Return if retrieving debug info failed.
-    return;
+    return true;
  }

  Handle<DebugInfo> debug_info = GetDebugInfo(shared);
@@ -1134,7 +1134,7 @@ void Debug::SetBreakPoint(Handle<JSFunction> function,
  *source_position = it.position();

  // At least one active break point now.
-  ASSERT(debug_info->GetBreakPointCount() > 0);
+  return debug_info->GetBreakPointCount() > 0;
 }



--- a/src/debug.h
+++ b/src/debug.h
@@ -219,7 +219,7 @@ class Debug {
  void PreemptionWhileInDebugger();

  Object* Break(Arguments args);
-  void SetBreakPoint(Handle<JSFunction> function,
+  bool SetBreakPoint(Handle<JSFunction> function,
                     Handle<Object> break_point_object,
                     int* source_position);
  bool SetBreakPointForScript(Handle<Script> script,

--- a/src/liveedit.h
+++ b/src/liveedit.h
@@ -278,9 +278,13 @@ class FunctionInfoWrapper : public JSArrayBasedStruct<FunctionInfoWrapper> {
 class SharedInfoWrapper : public JSArrayBasedStruct<SharedInfoWrapper> {
 public:
  static bool IsInstance(Handle<JSArray> array) {
-    return array->length() == Smi::FromInt(kSize_) &&
-        Object::GetElement(array->GetIsolate(), array, kSharedInfoOffset_)
-            .ToHandleChecked()->IsJSValue();
+    if (array->length() != Smi::FromInt(kSize_)) return false;
+    Handle<Object> element(
+        Object::GetElement(array->GetIsolate(),
+                           array,
+                           kSharedInfoOffset_).ToHandleChecked());
+    if (!element->IsJSValue()) return false;
+    return Handle<JSValue>::cast(element)->value()->IsSharedFunctionInfo();
  }

  explicit SharedInfoWrapper(Handle<JSArray> array)

--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -978,6 +978,8 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitialize) {
      &fixed_elements_kind,
      &element_size);

+  RUNTIME_ASSERT(holder->map()->elements_kind() == fixed_elements_kind);
+
  size_t byte_offset = 0;
  size_t byte_length = 0;
  RUNTIME_ASSERT(TryNumberToSize(isolate, *byte_offset_object, &byte_offset));
@@ -986,7 +988,7 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitialize) {
  holder->set_byte_offset(*byte_offset_object);
  holder->set_byte_length(*byte_length_object);

-  CHECK_EQ(0, static_cast<int>(byte_length % element_size));
+  RUNTIME_ASSERT(byte_length % element_size == 0);
  size_t length = byte_length / element_size;

  if (length > static_cast<unsigned>(Smi::kMaxValue)) {
@@ -1062,6 +1064,8 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitializeFromArrayLike) {
      &fixed_elements_kind,
      &element_size);

+  RUNTIME_ASSERT(holder->map()->elements_kind() == fixed_elements_kind);
+
  Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
  if (source->IsJSTypedArray() &&
      JSTypedArray::cast(*source)->type() == array_type) {
@@ -1739,6 +1743,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionGet) {
  CONVERT_ARG_HANDLE_CHECKED(Object, key, 1);
  Handle<ObjectHashTable> table(
      ObjectHashTable::cast(weak_collection->table()));
+  RUNTIME_ASSERT(table->IsKey(*key));
  Handle<Object> lookup(table->Lookup(key), isolate);
  return lookup->IsTheHole() ? isolate->heap()->undefined_value() : *lookup;
 }
@@ -1751,6 +1756,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionHas) {
  CONVERT_ARG_HANDLE_CHECKED(Object, key, 1);
  Handle<ObjectHashTable> table(
      ObjectHashTable::cast(weak_collection->table()));
+  RUNTIME_ASSERT(table->IsKey(*key));
  Handle<Object> lookup(table->Lookup(key), isolate);
  return isolate->heap()->ToBoolean(!lookup->IsTheHole());
 }
@@ -1763,6 +1769,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionDelete) {
  CONVERT_ARG_HANDLE_CHECKED(Object, key, 1);
  Handle<ObjectHashTable> table(ObjectHashTable::cast(
      weak_collection->table()));
+  RUNTIME_ASSERT(table->IsKey(*key));
  Handle<Object> lookup(table->Lookup(key), isolate);
  Handle<ObjectHashTable> new_table =
      ObjectHashTable::Put(table, key, isolate->factory()->the_hole_value());
@@ -1779,6 +1786,7 @@ RUNTIME_FUNCTION(Runtime_WeakCollectionSet) {
  CONVERT_ARG_HANDLE_CHECKED(Object, value, 2);
  Handle<ObjectHashTable> table(
      ObjectHashTable::cast(weak_collection->table()));
+  RUNTIME_ASSERT(table->IsKey(*key));
  Handle<ObjectHashTable> new_table = ObjectHashTable::Put(table, key, value);
  weak_collection->set_table(*new_table);
  return isolate->heap()->undefined_value();
@@ -4305,6 +4313,7 @@ RUNTIME_FUNCTION(Runtime_StringReplaceGlobalRegExpWithString) {
  CONVERT_ARG_HANDLE_CHECKED(JSArray, last_match_info, 3);

  RUNTIME_ASSERT(regexp->GetFlags().is_global());
+  RUNTIME_ASSERT(last_match_info->HasFastObjectElements());

  subject = String::Flatten(subject);

@@ -4735,12 +4744,11 @@ static Object* SearchRegExpMultiple(
  RegExpImpl::GlobalCache global_cache(regexp, subject, true, isolate);
  if (global_cache.HasException()) return isolate->heap()->exception();

-  Handle<FixedArray> result_elements;
-  if (result_array->HasFastObjectElements()) {
-    result_elements =
-        Handle<FixedArray>(FixedArray::cast(result_array->elements()));
-  }
-  if (result_elements.is_null() || result_elements->length() < 16) {
+  // Ensured in Runtime_RegExpExecMultiple.
+  ASSERT(result_array->HasFastObjectElements());
+  Handle<FixedArray> result_elements(
+      FixedArray::cast(result_array->elements()));
+  if (result_elements->length() < 16) {
    result_elements = isolate->factory()->NewFixedArrayWithHoles(16);
  }

@@ -4854,9 +4862,11 @@ RUNTIME_FUNCTION(Runtime_RegExpExecMultiple) {
  CONVERT_ARG_HANDLE_CHECKED(JSRegExp, regexp, 0);
  CONVERT_ARG_HANDLE_CHECKED(JSArray, last_match_info, 2);
  CONVERT_ARG_HANDLE_CHECKED(JSArray, result_array, 3);
+  RUNTIME_ASSERT(last_match_info->HasFastObjectElements());
+  RUNTIME_ASSERT(result_array->HasFastObjectElements());

  subject = String::Flatten(subject);
-  ASSERT(regexp->GetFlags().is_global());
+  RUNTIME_ASSERT(regexp->GetFlags().is_global());

  if (regexp->CaptureCount() == 0) {
    return SearchRegExpMultiple<false>(
@@ -5504,6 +5514,7 @@ RUNTIME_FUNCTION(Runtime_SetHiddenProperty) {
  CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
  CONVERT_ARG_HANDLE_CHECKED(String, key, 1);
  CONVERT_ARG_HANDLE_CHECKED(Object, value, 2);
+  RUNTIME_ASSERT(key->IsUniqueName());
  return *JSObject::SetHiddenProperty(object, key, value);
 }

@@ -7338,6 +7349,7 @@ RUNTIME_FUNCTION(Runtime_StringBuilderJoin) {
  CONVERT_SMI_ARG_CHECKED(array_length, 1);
  CONVERT_ARG_HANDLE_CHECKED(String, separator, 2);
  RUNTIME_ASSERT(array->HasFastObjectElements());
+  RUNTIME_ASSERT(array_length >= 0);

  Handle<FixedArray> fixed_array(FixedArray::cast(array->elements()));
  if (fixed_array->length() < array_length) {
@@ -7385,17 +7397,19 @@ RUNTIME_FUNCTION(Runtime_StringBuilderJoin) {
  uc16* end = sink + length;
 #endif

+  RUNTIME_ASSERT(fixed_array->get(0)->IsString());
  String* first = String::cast(fixed_array->get(0));
-  String* seperator_raw = *separator;
+  String* separator_raw = *separator;
  int first_length = first->length();
  String::WriteToFlat(first, sink, 0, first_length);
  sink += first_length;

  for (int i = 1; i < array_length; i++) {
    ASSERT(sink + separator_length <= end);
-    String::WriteToFlat(seperator_raw, sink, 0, separator_length);
+    String::WriteToFlat(separator_raw, sink, 0, separator_length);
    sink += separator_length;

+    RUNTIME_ASSERT(fixed_array->get(i)->IsString());
    String* element = String::cast(fixed_array->get(i));
    int element_length = element->length();
    ASSERT(sink + element_length <= end);
@@ -7474,6 +7488,8 @@ RUNTIME_FUNCTION(Runtime_SparseJoinWithSeparator) {
  FixedArray* elements = FixedArray::cast(elements_array->elements());
  for (int i = 0; i < elements_length; i += 2) {
    RUNTIME_ASSERT(elements->get(i)->IsNumber());
+    CONVERT_NUMBER_CHECKED(uint32_t, position, Uint32, elements->get(i));
+    RUNTIME_ASSERT(position < array_length);
    RUNTIME_ASSERT(elements->get(i + 1)->IsString());
  }

@@ -9752,6 +9768,8 @@ RUNTIME_FUNCTION(Runtime_DateLocalTimezone) {
  ASSERT(args.length() == 1);

  CONVERT_DOUBLE_ARG_CHECKED(x, 0);
+  RUNTIME_ASSERT(x >= -DateCache::kMaxTimeBeforeUTCInMs &&
+                 x <= DateCache::kMaxTimeBeforeUTCInMs);
  const char* zone =
      isolate->date_cache()->LocalTimezone(static_cast<int64_t>(x));
  Handle<String> result = isolate->factory()->NewStringFromUtf8(
@@ -9765,6 +9783,8 @@ RUNTIME_FUNCTION(Runtime_DateToUTC) {
  ASSERT(args.length() == 1);

  CONVERT_DOUBLE_ARG_CHECKED(x, 0);
+  RUNTIME_ASSERT(x >= -DateCache::kMaxTimeBeforeUTCInMs &&
+                 x <= DateCache::kMaxTimeBeforeUTCInMs);
  int64_t time = isolate->date_cache()->ToUTC(static_cast<int64_t>(x));

  return *isolate->factory()->NewNumber(static_cast<double>(time));
@@ -10356,6 +10376,10 @@ static bool IterateElements(Isolate* isolate,
      if (length == 0) break;
      // Run through the elements FixedArray and use HasElement and GetElement
      // to check the prototype for missing elements.
+      if (receiver->elements()->IsFixedArray()) {
+        ASSERT(receiver->elements()->length() == 0);
+        break;
+      }
      Handle<FixedDoubleArray> elements(
          FixedDoubleArray::cast(receiver->elements()));
      int fast_length = static_cast<int>(length);
@@ -10706,15 +10730,13 @@ RUNTIME_FUNCTION(Runtime_MoveArrayContents) {
 RUNTIME_FUNCTION(Runtime_EstimateNumberOfElements) {
  SealHandleScope shs(isolate);
  ASSERT(args.length() == 1);
-  CONVERT_ARG_CHECKED(JSObject, object, 0);
+  CONVERT_ARG_CHECKED(JSArray, object, 0);
  HeapObject* elements = object->elements();
  if (elements->IsDictionary()) {
    int result = SeededNumberDictionary::cast(elements)->NumberOfElements();
    return Smi::FromInt(result);
-  } else if (object->IsJSArray()) {
-    return JSArray::cast(object)->length();
  } else {
-    return Smi::FromInt(FixedArray::cast(elements)->length());
+    return object->length();
  }
 }

@@ -10755,8 +10777,8 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
    }
    return *isolate->factory()->NewJSArrayWithElements(keys);
  } else {
-    ASSERT(array->HasFastSmiOrObjectElements() ||
-           array->HasFastDoubleElements());
+    RUNTIME_ASSERT(array->HasFastSmiOrObjectElements() ||
+                   array->HasFastDoubleElements());
    uint32_t actual_length = static_cast<uint32_t>(array->elements()->length());
    return *isolate->factory()->NewNumberFromUint(Min(actual_length, length));
  }
@@ -10859,8 +10881,8 @@ static Handle<Object> DebugLookupResultValue(Isolate* isolate,
      break;
    }
    case INTERCEPTOR:
-      break;
    case HANDLER:
+      break;
    case NONEXISTENT:
      UNREACHABLE();
      break;
@@ -12697,12 +12719,13 @@ RUNTIME_FUNCTION(Runtime_SetFunctionBreakPoint) {
  ASSERT(args.length() == 3);
  CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
  CONVERT_NUMBER_CHECKED(int32_t, source_position, Int32, args[1]);
-  RUNTIME_ASSERT(source_position >= 0);
+  RUNTIME_ASSERT(source_position >= function->shared()->start_position() &&
+                 source_position <= function->shared()->end_position());
  CONVERT_ARG_HANDLE_CHECKED(Object, break_point_object_arg, 2);

  // Set break point.
-  isolate->debug()->SetBreakPoint(function, break_point_object_arg,
-                                  &source_position);
+  RUNTIME_ASSERT(isolate->debug()->SetBreakPoint(
+      function, break_point_object_arg, &source_position));

  return Smi::FromInt(source_position);
 }
@@ -13504,7 +13527,7 @@ RUNTIME_FUNCTION(Runtime_LiveEditFunctionSetScript) {
      Script* script = Script::cast(JSValue::cast(*script_object)->value());
      script_object = Handle<Object>(script, isolate);
    }
-
+    RUNTIME_ASSERT(function_wrapper->value()->IsSharedFunctionInfo());
    LiveEdit::SetFunctionScript(function_wrapper, script_object);
  } else {
    // Just ignore this. We may not have a SharedFunctionInfo for some functions