Ensure appropriate bounds checking for Array subclass concat

When an Array subclass is used as the receiver for concat, or with certain usages of @@species, the output that's constructed is of a different type with new slow path logic. This slow path still made references to elements, so it's important that bounds checking for a too-long result still be done. This patch repairs that bounds checking. R=cbruni LOG=Y BUG=chromium:592340 Review URL: https://codereview.chromium.org/1782443002 Cr-Commit-Position: refs/heads/master@{#34636}

Ensure appropriate bounds checking for Array subclass concat
When an Array subclass is used as the receiver for concat, or with certain usages of @@species, the output that's constructed is of a different type with new slow path logic. This slow path still made references to elements, so it's important that bounds checking for a too-long result still be done. This patch repairs that bounds checking. R=cbruni LOG=Y BUG=chromium:592340 Review URL: https://codereview.chromium.org/1782443002 Cr-Commit-Position: refs/heads/master@{#34636}
ca5deb1f · littledan · Commit bot · f99624a9 · ca5deb1f · ca5deb1f
Commit ca5deb1f authored Mar 09, 2016 by littledan Committed by Commit bot Mar 09, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 8 deletions

builtins.cc src/builtins.cc +8 -8

regress-crbug-592340.js test/mjsunit/regress/regress-crbug-592340.js +13 -0

No files found.
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -673,14 +673,6 @@ class ArrayConcatVisitor {
  bool visit(uint32_t i, Handle<Object> elm) {
    uint32_t index = index_offset_ + i;

-    if (!is_fixed_array()) {
-      Handle<Object> element_value;
-      ASSIGN_RETURN_ON_EXCEPTION_VALUE(
-          isolate_, element_value,
-          Object::SetElement(isolate_, storage_, index, elm, STRICT), false);
-      return true;
-    }
-
    if (i >= JSObject::kMaxElementCount - index_offset_) {
      set_exceeds_array_limit(true);
      // Exception hasn't been thrown at this point. Return true to
@@ -689,6 +681,14 @@ class ArrayConcatVisitor {
      return true;
    }

+    if (!is_fixed_array()) {
+      Handle<Object> element_value;
+      ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+          isolate_, element_value,
+          Object::SetElement(isolate_, storage_, index, elm, STRICT), false);
+      return true;
+    }
+
    if (fast_elements()) {
      if (index < static_cast<uint32_t>(storage_fixed_array()->length())) {
        storage_fixed_array()->set(index, *elm);

--- a/test/mjsunit/regress/regress-crbug-592340.js
+++ b/test/mjsunit/regress/regress-crbug-592340.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+class MyArray extends Array { }
+Object.prototype[Symbol.species] = MyArray;
+delete Array[Symbol.species];
+__v_1 = Math.pow(2, 31);
+__v_2 = [];
+__v_2[__v_1] = 31;
+__v_4 = [];
+__v_4[__v_1 - 2] = 33;
+assertThrows(() => __v_2.concat(__v_4), RangeError);