Revision: 21343
Author: [email protected]
Date: Fri May 16 13:43:19 2014 UTC
Log: Harden builtins BuildResultFromMatchInfo and URIDecodeOctets
[email protected]
Review URL: https://codereview.chromium.org/286203010
http://code.google.com/p/v8/source/detail?r=21343
Modified:
/branches/bleeding_edge/src/hydrogen.cc
/branches/bleeding_edge/src/regexp.js
/branches/bleeding_edge/src/uri.js
/branches/bleeding_edge/tools/generate-runtime-tests.py
=======================================
--- /branches/bleeding_edge/src/hydrogen.cc Thu May 15 13:03:14 2014 UTC
+++ /branches/bleeding_edge/src/hydrogen.cc Fri May 16 13:43:19 2014 UTC
@@ -1535,12 +1535,14 @@
// Compute the size of the RegExpResult followed by FixedArray with
length.
HValue* size = length;
- size = AddUncasted<HShl>(size, Add<HConstant>(kPointerSizeLog2));
- size = AddUncasted<HAdd>(size, Add<HConstant>(static_cast<int32_t>(
- JSRegExpResult::kSize + FixedArray::kHeaderSize)));
+ // Make sure size does not exceed max regular heap object size.
+ const int kHeaderSize = JSRegExpResult::kSize + FixedArray::kHeaderSize;
+ const int kMaxLength =
+ (Page::kMaxRegularHeapObjectSize - kHeaderSize) >> kPointerSizeLog2;
+ Add<HBoundsCheck>(size, Add<HConstant>(kMaxLength));
- // Make sure size does not exceeds max regular heap object size.
- Add<HBoundsCheck>(size, Add<HConstant>(Page::kMaxRegularHeapObjectSize));
+ size = AddUncasted<HShl>(size, Add<HConstant>(kPointerSizeLog2));
+ size = AddUncasted<HAdd>(size, Add<HConstant>(kHeaderSize));
// Allocate the JSRegExpResult and the FixedArray in one step.
HValue* result = Add<HAllocate>(
=======================================
--- /branches/bleeding_edge/src/regexp.js Wed May 14 08:51:10 2014 UTC
+++ /branches/bleeding_edge/src/regexp.js Fri May 16 13:43:19 2014 UTC
@@ -108,23 +108,26 @@
}
-function BuildResultFromMatchInfo(lastMatchInfo, s) {
- var numResults = NUMBER_OF_CAPTURES(lastMatchInfo) >> 1;
- var start = lastMatchInfo[CAPTURE0];
- var end = lastMatchInfo[CAPTURE1];
- var result = %_RegExpConstructResult(numResults, start, s);
- result[0] = %_SubString(s, start, end);
+// This is kind of performance sensitive, so we want to avoid unnecessary
+// type checks on inputs. But we also don't want to inline it several times
+// manually, so we use a macro :-)
+macro RETURN_NEW_RESULT_FROM_MATCH_INFO(MATCHINFO, STRING)
+ var numResults = NUMBER_OF_CAPTURES(MATCHINFO) >> 1;
+ var start = MATCHINFO[CAPTURE0];
+ var end = MATCHINFO[CAPTURE1];
+ var result = %_RegExpConstructResult(numResults, start, STRING);
+ result[0] = %_SubString(STRING, start, end);
var j = REGEXP_FIRST_CAPTURE + 2;
for (var i = 1; i < numResults; i++) {
- start = lastMatchInfo[j++];
+ start = MATCHINFO[j++];
if (start != -1) {
- end = lastMatchInfo[j];
- result[i] = %_SubString(s, start, end);
+ end = MATCHINFO[j];
+ result[i] = %_SubString(STRING, start, end);
}
j++;
}
return result;
-}
+endmacro
function RegExpExecNoTests(regexp, string, start) {
@@ -132,7 +135,7 @@
var matchInfo = %_RegExpExec(regexp, string, start, lastMatchInfo);
if (matchInfo !== null) {
lastMatchInfoOverride = null;
- return BuildResultFromMatchInfo(matchInfo, string);
+ RETURN_NEW_RESULT_FROM_MATCH_INFO(matchInfo, string);
}
regexp.lastIndex = 0;
return null;
@@ -175,7 +178,7 @@
if (global) {
this.lastIndex = lastMatchInfo[CAPTURE1];
}
- return BuildResultFromMatchInfo(matchIndices, string);
+ RETURN_NEW_RESULT_FROM_MATCH_INFO(matchIndices, string);
}
=======================================
--- /branches/bleeding_edge/src/uri.js Wed May 14 08:51:10 2014 UTC
+++ /branches/bleeding_edge/src/uri.js Fri May 16 13:43:19 2014 UTC
@@ -84,6 +84,7 @@
function URIDecodeOctets(octets, result, index) {
+ if (!IS_STRING(result)) throw new $URIError("Internal error");
var value;
var o0 = octets[0];
if (o0 < 0x80) {
@@ -148,9 +149,15 @@
throw new $URIError("URI malformed");
}
if (value < 0x10000) {
+ if (index < 0 || index >= result.length) {
+ throw new $URIError("Internal error");
+ }
%_TwoByteSeqStringSetChar(result, index++, value);
return index;
} else {
+ if (index < 0 || index >= result.length - 1) {
+ throw new $URIError("Internal error");
+ }
%_TwoByteSeqStringSetChar(result, index++, (value >> 10) + 0xd7c0);
%_TwoByteSeqStringSetChar(result, index++, (value & 0x3ff) + 0xdc00);
return index;
=======================================
--- /branches/bleeding_edge/tools/generate-runtime-tests.py Fri May 16
13:23:32 2014 UTC
+++ /branches/bleeding_edge/tools/generate-runtime-tests.py Fri May 16
13:43:19 2014 UTC
@@ -51,7 +51,7 @@
EXPECTED_FUZZABLE_COUNT = 329
EXPECTED_CCTEST_COUNT = 6
EXPECTED_UNKNOWN_COUNT = 5
-EXPECTED_BUILTINS_COUNT = 827
+EXPECTED_BUILTINS_COUNT = 826
# Don't call these at all.
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
