src · 700bbdc673c9b023a7e9339f8f1a68dbe6b8a74d · Linshizhi / V8

Avoid calling %AddElement with a number out of array index range · 700bbdc6

littledan authored Oct 28, 2015

This patch wraps callsites to %AddElement to fall back to adding a
named property in case it is given an argument of 2**32 or greater.
The change is needed because %AddElement is called by Array functions
in various places, and ES2015 changes these Array functions to use
ToLength rather than ToUint32, so several callsites of %AddElement
which used to be reliable array indices may be larger numbers. While
the proper long-term solution may be to call out to
Object.defineProperty, this fix should allow the ToLength semantics
to be shipped while preserving correctness and not requiring a
rewrite.

BUG=v8:4516
LOG=Y
R=adamk
TEST=Interactively ran Array.prototype.slice on an Array-like which
exceeded array bounds, and found that this did not check-fail at
runtime as it did before.
Microbenchmarked this technique against the previous version on a
simple reverse implementation and found at most a 1% slowdown, as
opposed to other techniques, like calling %DefineDataPropertyUnchecked,
which had a 20% slowdown or Object.defineProperty with a 80% slowdown.

Review URL: https://codereview.chromium.org/1420663003

Cr-Commit-Position: refs/heads/master@{#31640}

700bbdc6

Name	Last commit	Last update
..
arm		Loading commit data...
arm64		Loading commit data...
base		Loading commit data...
compiler		Loading commit data...
crankshaft		Loading commit data...
debug		Loading commit data...
extensions		Loading commit data...
full-codegen		Loading commit data...
heap		Loading commit data...
ia32		Loading commit data...
ic		Loading commit data...
interpreter		Loading commit data...
js		Loading commit data...
libplatform		Loading commit data...
mips		Loading commit data...
mips64		Loading commit data...
ppc		Loading commit data...
profiler		Loading commit data...
regexp		Loading commit data...
runtime		Loading commit data...
snapshot		Loading commit data...
third_party		Loading commit data...
x64		Loading commit data...
x87		Loading commit data...
DEPS		Loading commit data...
OWNERS		Loading commit data...
accessors.cc		Loading commit data...
accessors.h		Loading commit data...
address-map.cc		Loading commit data...
address-map.h		Loading commit data...
allocation-site-scopes.cc		Loading commit data...
allocation-site-scopes.h		Loading commit data...
allocation.cc		Loading commit data...
allocation.h		Loading commit data...
api-natives.cc		Loading commit data...
api-natives.h		Loading commit data...
api.cc		Loading commit data...
api.h		Loading commit data...
arguments.cc		Loading commit data...
arguments.h		Loading commit data...
assembler.cc		Loading commit data...
assembler.h		Loading commit data...
assert-scope.cc		Loading commit data...
assert-scope.h		Loading commit data...
ast-expression-visitor.cc		Loading commit data...
ast-expression-visitor.h		Loading commit data...
ast-literal-reindexer.cc		Loading commit data...
ast-literal-reindexer.h		Loading commit data...
ast-numbering.cc		Loading commit data...
ast-numbering.h		Loading commit data...
ast-value-factory.cc		Loading commit data...
ast-value-factory.h		Loading commit data...
ast.cc		Loading commit data...
ast.h		Loading commit data...
atomic-utils.h		Loading commit data...
background-parsing-task.cc		Loading commit data...
background-parsing-task.h		Loading commit data...
bailout-reason.cc		Loading commit data...
bailout-reason.h		Loading commit data...
base.isolate		Loading commit data...
basic-block-profiler.cc		Loading commit data...
basic-block-profiler.h		Loading commit data...
bignum-dtoa.cc		Loading commit data...
bignum-dtoa.h		Loading commit data...
bignum.cc		Loading commit data...
bignum.h		Loading commit data...
bit-vector.cc		Loading commit data...
bit-vector.h		Loading commit data...
bootstrapper.cc		Loading commit data...
bootstrapper.h		Loading commit data...
builtins.cc		Loading commit data...
builtins.h		Loading commit data...
cached-powers.cc		Loading commit data...
cached-powers.h		Loading commit data...
cancelable-task.cc		Loading commit data...
cancelable-task.h		Loading commit data...
char-predicates-inl.h		Loading commit data...
char-predicates.cc		Loading commit data...
char-predicates.h		Loading commit data...
checks.h		Loading commit data...
code-factory.cc		Loading commit data...
code-factory.h		Loading commit data...
code-stubs-hydrogen.cc		Loading commit data...
code-stubs.cc		Loading commit data...
code-stubs.h		Loading commit data...
codegen.cc		Loading commit data...
codegen.h		Loading commit data...
compilation-cache.cc		Loading commit data...
compilation-cache.h		Loading commit data...
compilation-dependencies.cc		Loading commit data...
compilation-dependencies.h		Loading commit data...
compilation-statistics.cc		Loading commit data...
compilation-statistics.h		Loading commit data...
compiler.cc		Loading commit data...
compiler.h		Loading commit data...
context-measure.cc		Loading commit data...
context-measure.h		Loading commit data...
contexts-inl.h		Loading commit data...
contexts.cc		Loading commit data...
contexts.h		Loading commit data...
conversions-inl.h		Loading commit data...
conversions.cc		Loading commit data...
conversions.h		Loading commit data...
counters.cc		Loading commit data...
counters.h		Loading commit data...
d8-posix.cc		Loading commit data...
d8-windows.cc		Loading commit data...
d8.cc		Loading commit data...
d8.gyp		Loading commit data...
d8.h		Loading commit data...
d8.isolate		Loading commit data...
d8.js		Loading commit data...
date.cc		Loading commit data...
date.h		Loading commit data...
dateparser-inl.h		Loading commit data...
dateparser.cc		Loading commit data...
dateparser.h		Loading commit data...
deoptimizer.cc		Loading commit data...
deoptimizer.h		Loading commit data...
disasm.h		Loading commit data...
disassembler.cc		Loading commit data...
disassembler.h		Loading commit data...
diy-fp.cc		Loading commit data...
diy-fp.h		Loading commit data...
double.h		Loading commit data...
dtoa.cc		Loading commit data...
dtoa.h		Loading commit data...
effects.h		Loading commit data...
elements-kind.cc		Loading commit data...
elements-kind.h		Loading commit data...
elements.cc		Loading commit data...
elements.h		Loading commit data...
execution.cc		Loading commit data...
execution.h		Loading commit data...
expression-classifier.h		Loading commit data...
factory.cc		Loading commit data...
factory.h		Loading commit data...
fast-dtoa.cc		Loading commit data...
fast-dtoa.h		Loading commit data...
field-index-inl.h		Loading commit data...
field-index.h		Loading commit data...
fixed-dtoa.cc		Loading commit data...
fixed-dtoa.h		Loading commit data...
flag-definitions.h		Loading commit data...
flags.cc		Loading commit data...
flags.h		Loading commit data...
frames-inl.h		Loading commit data...
frames.cc		Loading commit data...
frames.h		Loading commit data...
func-name-inferrer.cc		Loading commit data...
func-name-inferrer.h		Loading commit data...
futex-emulation.cc		Loading commit data...
futex-emulation.h		Loading commit data...
gdb-jit.cc		Loading commit data...
gdb-jit.h		Loading commit data...
global-handles.cc		Loading commit data...
global-handles.h		Loading commit data...
globals.h		Loading commit data...
handles-inl.h		Loading commit data...
handles.cc		Loading commit data...
handles.h		Loading commit data...
hashmap.h		Loading commit data...
i18n.cc		Loading commit data...
i18n.h		Loading commit data...
icu_util.cc		Loading commit data...
icu_util.h		Loading commit data...
identity-map.cc		Loading commit data...
identity-map.h		Loading commit data...
interface-descriptors.cc		Loading commit data...
interface-descriptors.h		Loading commit data...
isolate-inl.h		Loading commit data...
isolate.cc		Loading commit data...
isolate.h		Loading commit data...
json-parser.h		Loading commit data...
json-stringifier.h		Loading commit data...
layout-descriptor-inl.h		Loading commit data...
layout-descriptor.cc		Loading commit data...
layout-descriptor.h		Loading commit data...
list-inl.h		Loading commit data...
list.h		Loading commit data...
log-inl.h		Loading commit data...
log-utils.cc		Loading commit data...
log-utils.h		Loading commit data...
log.cc		Loading commit data...
log.h		Loading commit data...
lookup.cc		Loading commit data...
lookup.h		Loading commit data...
macro-assembler.h		Loading commit data...
messages.cc		Loading commit data...
messages.h		Loading commit data...
modules.cc		Loading commit data...
modules.h		Loading commit data...
msan.h		Loading commit data...
objects-debug.cc		Loading commit data...
objects-inl.h		Loading commit data...
objects-printer.cc		Loading commit data...
objects.cc		Loading commit data...
objects.h		Loading commit data...
optimizing-compile-dispatcher.cc		Loading commit data...
optimizing-compile-dispatcher.h		Loading commit data...
ostreams.cc		Loading commit data...
ostreams.h		Loading commit data...
parameter-initializer-rewriter.cc		Loading commit data...
parameter-initializer-rewriter.h		Loading commit data...
parser.cc		Loading commit data...
parser.h		Loading commit data...
pattern-rewriter.cc		Loading commit data...
pending-compilation-error-handler.cc		Loading commit data...
pending-compilation-error-handler.h		Loading commit data...
preparse-data-format.h		Loading commit data...
preparse-data.cc		Loading commit data...
preparse-data.h		Loading commit data...
preparser.cc		Loading commit data...
preparser.h		Loading commit data...
prettyprinter.cc		Loading commit data...
prettyprinter.h		Loading commit data...
property-descriptor.cc		Loading commit data...
property-descriptor.h		Loading commit data...
property-details.h		Loading commit data...
property.cc		Loading commit data...
property.h		Loading commit data...
prototype.h		Loading commit data...
register-configuration.cc		Loading commit data...
register-configuration.h		Loading commit data...
rewriter.cc		Loading commit data...
rewriter.h		Loading commit data...
runtime-profiler.cc		Loading commit data...
runtime-profiler.h		Loading commit data...
safepoint-table.cc		Loading commit data...
safepoint-table.h		Loading commit data...
scanner-character-streams.cc		Loading commit data...
scanner-character-streams.h		Loading commit data...
scanner.cc		Loading commit data...
scanner.h		Loading commit data...
scopeinfo.cc		Loading commit data...
scopeinfo.h		Loading commit data...
scopes.cc		Loading commit data...
scopes.h		Loading commit data...
signature.h		Loading commit data...
simulator.h		Loading commit data...
small-pointer-list.h		Loading commit data...
splay-tree-inl.h		Loading commit data...
splay-tree.h		Loading commit data...
startup-data-util.cc		Loading commit data...
startup-data-util.h		Loading commit data...
string-builder.cc		Loading commit data...
string-builder.h		Loading commit data...
string-search.h		Loading commit data...
string-stream.cc		Loading commit data...
string-stream.h		Loading commit data...
strtod.cc		Loading commit data...
strtod.h		Loading commit data...
token.cc		Loading commit data...
token.h		Loading commit data...
transitions-inl.h		Loading commit data...
transitions.cc		Loading commit data...
transitions.h		Loading commit data...
type-cache.cc		Loading commit data...
type-cache.h		Loading commit data...
type-feedback-vector-inl.h		Loading commit data...
type-feedback-vector.cc		Loading commit data...
type-feedback-vector.h		Loading commit data...
type-info.cc		Loading commit data...
type-info.h		Loading commit data...
types-inl.h		Loading commit data...
types.cc		Loading commit data...
types.h		Loading commit data...
typing-asm.cc		Loading commit data...
typing-asm.h		Loading commit data...
typing-reset.cc		Loading commit data...
typing-reset.h		Loading commit data...
unicode-cache-inl.h		Loading commit data...
unicode-cache.h		Loading commit data...
unicode-decoder.cc		Loading commit data...
unicode-decoder.h		Loading commit data...
unicode-inl.h		Loading commit data...
unicode.cc		Loading commit data...
unicode.h		Loading commit data...
utils.cc		Loading commit data...
utils.h		Loading commit data...
v8.cc		Loading commit data...
v8.h		Loading commit data...
v8dll-main.cc		Loading commit data...
v8memory.h		Loading commit data...
v8threads.cc		Loading commit data...
v8threads.h		Loading commit data...
variables.cc		Loading commit data...
variables.h		Loading commit data...
vector.h		Loading commit data...
version.cc		Loading commit data...
version.h		Loading commit data...
vm-state-inl.h		Loading commit data...
vm-state.h		Loading commit data...
zone-allocator.h		Loading commit data...
zone-containers.h		Loading commit data...
zone.cc		Loading commit data...
zone.h		Loading commit data...