src/builtins · 7098f35c7ceee6c84c8951f21a6bdb4c4e692d3a · Linshizhi / V8

[dataview] Fix too tight TNode type in DataView getters · 3656b465

Théotime Grohens authored Aug 02, 2018

This CL fixes a bug found by Clusterfuzz, in which the functions
LoadDataViewByteOffset and -ByteLength incorrectly had a return
type of TNode<Smi> instead of TNode<Number>.

This caused a CAST() call to fail when the requested byte offset
or byte length did not fit inside a Smi, i.e. when the underlying
ArrayBuffer of the DataView had a length longer than 2^30 on
32-bit platforms.

The CL also includes a new test in mjsunit to test against this.

Bug: chromium:869313
Change-Id: Ibb7d29bda5782a12c4b506c070bb03fef8c3ec70
Reviewed-on: https://chromium-review.googlesource.com/1158582
Commit-Queue: Théotime Grohens <theotime@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54900}

3656b465

Name	Last commit	Last update
..
arm		Loading commit data...
arm64		Loading commit data...
ia32		Loading commit data...
mips		Loading commit data...
mips64		Loading commit data...
ppc		Loading commit data...
s390		Loading commit data...
x64		Loading commit data...
array-foreach.tq		Loading commit data...
array-sort.tq		Loading commit data...
array.tq		Loading commit data...
base.tq		Loading commit data...
builtins-api.cc		Loading commit data...
builtins-arguments-gen.cc		Loading commit data...
builtins-arguments-gen.h		Loading commit data...
builtins-array-gen.cc		Loading commit data...
builtins-array-gen.h		Loading commit data...
builtins-array.cc		Loading commit data...
builtins-arraybuffer.cc		Loading commit data...
builtins-async-function-gen.cc		Loading commit data...
builtins-async-gen.cc		Loading commit data...
builtins-async-gen.h		Loading commit data...
builtins-async-generator-gen.cc		Loading commit data...
builtins-async-iterator-gen.cc		Loading commit data...
builtins-bigint.cc		Loading commit data...
builtins-boolean-gen.cc		Loading commit data...
builtins-boolean.cc		Loading commit data...
builtins-call-gen.cc		Loading commit data...
builtins-call-gen.h		Loading commit data...
builtins-call.cc		Loading commit data...
builtins-callsite.cc		Loading commit data...
builtins-collections-gen.cc		Loading commit data...
builtins-collections.cc		Loading commit data...
builtins-console-gen.cc		Loading commit data...
builtins-console.cc		Loading commit data...
builtins-constructor-gen.cc		Loading commit data...
builtins-constructor-gen.h		Loading commit data...
builtins-constructor.h		Loading commit data...
builtins-conversion-gen.cc		Loading commit data...
builtins-data-view-gen.h		Loading commit data...
builtins-dataview.cc		Loading commit data...
builtins-date-gen.cc		Loading commit data...
builtins-date.cc		Loading commit data...
builtins-debug-gen.cc		Loading commit data...
builtins-definitions.h		Loading commit data...
builtins-descriptors.h		Loading commit data...
builtins-error.cc		Loading commit data...
builtins-function-gen.cc		Loading commit data...
builtins-function.cc		Loading commit data...
builtins-generator-gen.cc		Loading commit data...
builtins-global-gen.cc		Loading commit data...
builtins-global.cc		Loading commit data...
builtins-handler-gen.cc		Loading commit data...
builtins-ic-gen.cc		Loading commit data...
builtins-internal-gen.cc		Loading commit data...
builtins-internal.cc		Loading commit data...
builtins-interpreter-gen.cc		Loading commit data...
builtins-interpreter.cc		Loading commit data...
builtins-intl-gen.cc		Loading commit data...
builtins-intl.cc		Loading commit data...
builtins-intl.h		Loading commit data...
builtins-iterator-gen.cc		Loading commit data...
builtins-iterator-gen.h		Loading commit data...
builtins-json.cc		Loading commit data...
builtins-lazy-gen.cc		Loading commit data...
builtins-lazy-gen.h		Loading commit data...
builtins-math-gen.cc		Loading commit data...
builtins-math-gen.h		Loading commit data...
builtins-math.cc		Loading commit data...
builtins-number-gen.cc		Loading commit data...
builtins-number.cc		Loading commit data...
builtins-object-gen.cc		Loading commit data...
builtins-object.cc		Loading commit data...
builtins-promise-gen.cc		Loading commit data...
builtins-promise-gen.h		Loading commit data...
builtins-promise.cc		Loading commit data...
builtins-proxy-gen.cc		Loading commit data...
builtins-proxy-gen.h		Loading commit data...
builtins-reflect-gen.cc		Loading commit data...
builtins-reflect.cc		Loading commit data...
builtins-regexp-gen.cc		Loading commit data...
builtins-regexp-gen.h		Loading commit data...
builtins-regexp.cc		Loading commit data...
builtins-sharedarraybuffer-gen.cc		Loading commit data...
builtins-sharedarraybuffer.cc		Loading commit data...
builtins-string-gen.cc		Loading commit data...
builtins-string-gen.h		Loading commit data...
builtins-string.cc		Loading commit data...
builtins-symbol-gen.cc		Loading commit data...
builtins-symbol.cc		Loading commit data...
builtins-test-gen.h		Loading commit data...
builtins-trace.cc		Loading commit data...
builtins-typed-array-gen.cc		Loading commit data...
builtins-typed-array-gen.h		Loading commit data...
builtins-typed-array.cc		Loading commit data...
builtins-utils-gen.h		Loading commit data...
builtins-utils-inl.h		Loading commit data...
builtins-utils.h		Loading commit data...
builtins-wasm-gen.cc		Loading commit data...
builtins.cc		Loading commit data...
builtins.h		Loading commit data...
constants-table-builder.cc		Loading commit data...
constants-table-builder.h		Loading commit data...
data-view.tq		Loading commit data...
growable-fixed-array-gen.cc		Loading commit data...
growable-fixed-array-gen.h		Loading commit data...
setup-builtins-internal.cc		Loading commit data...
typed-array.tq		Loading commit data...