[v8-dev] negative bounds checking on realm calls (issue 169393002)

[dcarney]

Reviewers: rossberg,

Message:
ptal
Description:
negative bounds checking on realm calls

R=rossb...@chromium.org

BUG=344285

Please review this at https://codereview.chromium.org/169393002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+20, -19 lines):
  M src/d8.cc
  A + test/mjsunit/regress/regress-cr-344285.js


Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index  
76ff4f94318890a4cd3b23b3b42208fec4c3d409..05a2f84a362cbd4cc35c5596b602679329b1b115  
100644
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -113,9 +113,9 @@ class PerIsolateData {
   friend class Shell;
   friend class RealmScope;
   Isolate* isolate_;
-  int realm_count_;
-  int realm_current_;
-  int realm_switch_;
+  uint32_t realm_count_;
+  uint32_t realm_current_;
+  uint32_t realm_switch_;
   Persistent<Context>* realms_;
   Persistent<Value> realm_shared_;

@@ -272,7 +272,7 @@ PerIsolateData::RealmScope::RealmScope(PerIsolateData*  
data) : data_(data) {

 PerIsolateData::RealmScope::~RealmScope() {
   // Drop realms to avoid keeping them alive.
-  for (int i = 0; i < data_->realm_count_; ++i)
+  for (uint32_t i = 0; i < data_->realm_count_; ++i)
     data_->realms_[i].Reset();
   delete[] data_->realms_;
   if (!data_->realm_shared_.IsEmpty())
@@ -281,7 +281,7 @@ PerIsolateData::RealmScope::~RealmScope() {


 int PerIsolateData::RealmFind(Handle<Context> context) {
-  for (int i = 0; i < realm_count_; ++i) {
+  for (uint32_t i = 0; i < realm_count_; ++i) {
     if (realms_[i] == context) return i;
   }
   return -1;
@@ -329,7 +329,7 @@ void Shell::RealmGlobal(const  
v8::FunctionCallbackInfo<v8::Value>& args) {
     Throw(args.GetIsolate(), "Invalid argument");
     return;
   }
-  int index = args[0]->Uint32Value();
+  uint32_t index = args[0]->Uint32Value();
   if (index >= data->realm_count_ || data->realms_[index].IsEmpty()) {
     Throw(args.GetIsolate(), "Invalid realm index");
     return;
@@ -344,9 +344,9 @@ void Shell::RealmCreate(const  
v8::FunctionCallbackInfo<v8::Value>& args) {
   Isolate* isolate = args.GetIsolate();
   PerIsolateData* data = PerIsolateData::Get(isolate);
   Persistent<Context>* old_realms = data->realms_;
-  int index = data->realm_count_;
+  uint32_t index = data->realm_count_;
   data->realms_ = new Persistent<Context>[++data->realm_count_];
-  for (int i = 0; i < index; ++i) {
+  for (uint32_t i = 0; i < index; ++i) {
     data->realms_[i].Reset(isolate, old_realms[i]);
   }
   delete[] old_realms;
@@ -365,7 +365,7 @@ void Shell::RealmDispose(const  
v8::FunctionCallbackInfo<v8::Value>& args) {
     Throw(args.GetIsolate(), "Invalid argument");
     return;
   }
-  int index = args[0]->Uint32Value();
+  uint32_t index = args[0]->Uint32Value();
   if (index >= data->realm_count_ || data->realms_[index].IsEmpty() ||
       index == 0 ||
       index == data->realm_current_ || index == data->realm_switch_) {
@@ -384,7 +384,7 @@ void Shell::RealmSwitch(const  
v8::FunctionCallbackInfo<v8::Value>& args) {
     Throw(args.GetIsolate(), "Invalid argument");
     return;
   }
-  int index = args[0]->Uint32Value();
+  uint32_t index = args[0]->Uint32Value();
   if (index >= data->realm_count_ || data->realms_[index].IsEmpty()) {
     Throw(args.GetIsolate(), "Invalid realm index");
     return;
@@ -401,7 +401,7 @@ void Shell::RealmEval(const  
v8::FunctionCallbackInfo<v8::Value>& args) {
     Throw(args.GetIsolate(), "Invalid argument");
     return;
   }
-  int index = args[0]->Uint32Value();
+  uint32_t index = args[0]->Uint32Value();
   if (index >= data->realm_count_ || data->realms_[index].IsEmpty()) {
     Throw(args.GetIsolate(), "Invalid realm index");
     return;
Index: test/mjsunit/regress/regress-cr-344285.js
diff --git a/test/mjsunit/function-arguments-duplicate.js  
b/test/mjsunit/regress/regress-cr-344285.js
similarity index 87%
copy from test/mjsunit/function-arguments-duplicate.js
copy to test/mjsunit/regress/regress-cr-344285.js
index  
80f03a106b30a7e2f984a83b9d54b2edd8fb840a..42e8bd109bb34cfb3de436af96f91104f698b836  
100644
--- a/test/mjsunit/function-arguments-duplicate.js
+++ b/test/mjsunit/regress/regress-cr-344285.js
@@ -25,12 +25,13 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-// Execises ArgumentsAccessStub::GenerateNewNonStrictSlow.
-
-function f(a, a) {
-  assertEquals(2, a);
-  assertEquals(1, arguments[0]);
-  assertEquals(2, arguments[1]);
+function __f_1(g) { return (g/-1) ^ 1; }
+var __v_0 = 1 << 31;
+var __v_2 = __f_1(__v_0);
+caught = false;
+try {
+  Realm.eval(__v_2, "Realm.global(0).y = 1");
+} catch (e) {
+  caught = true;
 }
-
-f(1, 2);
+assertTrue(caught, "exception not caught");


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.