[typedarray] Fix incorrect access to typed array byte offset.

Byte offset can be outside of Smi range and must be loaded as a Number rather than a Smi. Bug: chromium:852258 Change-Id: Ida6e07ba68a050d4f5a9f28500986cc67c619b4c Reviewed-on: https://chromium-review.googlesource.com/1100886Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#53748}

[typedarray] Fix incorrect access to typed array byte offset.
Byte offset can be outside of Smi range and must be loaded as a Number rather than a Smi. Bug: chromium:852258 Change-Id: Ida6e07ba68a050d4f5a9f28500986cc67c619b4c Reviewed-on: https://chromium-review.googlesource.com/1100886Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#53748}
d69df91c · Peter Marshall · Commit Bot · 5fdea8fd · d69df91c · d69df91c
Commit d69df91c authored Jun 14, 2018 by Peter Marshall Committed by Commit Bot Jun 15, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 4 deletions

builtins-typed-array-gen.cc src/builtins/builtins-typed-array-gen.cc +13 -4

regress-852258.js test/mjsunit/regress/regress-852258.js +11 -0

No files found.
--- a/src/builtins/builtins-typed-array-gen.cc
+++ b/src/builtins/builtins-typed-array-gen.cc
@@ -1365,15 +1365,24 @@ TF_BUILTIN(TypedArrayPrototypeSlice, TypedArrayBuiltinsAssembler) {
    TNode<IntPtrT> count_bytes = IntPtrMul(SmiToIntPtr(count), source_el_size);

 #ifdef DEBUG
-    TNode<IntPtrT> target_byte_length =
-        LoadAndUntagObjectField(result_array, JSTypedArray::kByteLengthOffset);
+    Label done(this), to_intptr_failed(this, Label::kDeferred);
+    TNode<IntPtrT> target_byte_length = TryToIntptr(
+        LoadObjectField<Number>(result_array, JSTypedArray::kByteLengthOffset),
+        &to_intptr_failed);
    CSA_ASSERT(this, IntPtrLessThanOrEqual(count_bytes, target_byte_length));

-    TNode<IntPtrT> source_byte_length =
-        LoadAndUntagObjectField(source, JSTypedArray::kByteLengthOffset);
+    TNode<IntPtrT> source_byte_length = TryToIntptr(
+        LoadObjectField<Number>(source, JSTypedArray::kByteLengthOffset),
+        &to_intptr_failed);
    TNode<IntPtrT> source_size_in_bytes =
        IntPtrSub(source_byte_length, source_start_bytes);
    CSA_ASSERT(this, IntPtrLessThanOrEqual(count_bytes, source_size_in_bytes));
+    Goto(&done);
+
+    BIND(&to_intptr_failed);
+    Unreachable();
+
+    BIND(&done);
 #endif  // DEBUG

    CallCMemmove(target_data_ptr, source_start, count_bytes);

--- a/test/mjsunit/regress/regress-852258.js
+++ b/test/mjsunit/regress/regress-852258.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+try {
+  let ta0 = new Int16Array(0x24924925);
+  let ta2 = ta0.slice(1);
+  let ta1 = ta0.slice(0x24924924);
+} catch (e) {
+  // Allocation failed, that's fine.
+}