projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7a8a44a)
Harden Runtime_LiveEditCheckAndDropActivations against unsafe args.
authoryangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Wed, 2 Jul 2014 15:09:44 +0000 (15:09 +0000)
committeryangguo@chromium.org <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Wed, 2 Jul 2014 15:09:44 +0000 (15:09 +0000)
R=jarin@chromium.org
BUG=390925
LOG=N

Review URL: https://codereview.chromium.org/362983004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22169 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/liveedit.cc patch | blob | history
src/runtime.cc patch | blob | history
test/mjsunit/regress/regress-crbug-390925.js [new file with mode: 0644] patch | blob

diff --git a/src/liveedit.cc b/src/liveedit.cc
index 02f707c..a52eef7 100644 (file)
--- a/src/liveedit.cc
+++ b/src/liveedit.cc
@@ -1957,7 +1957,7 @@ Handle<JSArray> LiveEdit::CheckAndDropActivations(
   Isolate* isolate = shared_info_array->GetIsolate();
   int len = GetArrayLength(shared_info_array);
 
-  CHECK(shared_info_array->HasFastElements());
+  ASSERT(shared_info_array->HasFastElements());
   Handle<FixedArray> shared_info_array_elements(
       FixedArray::cast(shared_info_array->elements()));
 
diff --git a/src/runtime.cc b/src/runtime.cc
index 0f80251..949c617 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -13503,6 +13503,7 @@ RUNTIME_FUNCTION(Runtime_LiveEditCheckAndDropActivations) {
   CONVERT_ARG_HANDLE_CHECKED(JSArray, shared_array, 0);
   CONVERT_BOOLEAN_ARG_CHECKED(do_drop, 1);
   RUNTIME_ASSERT(shared_array->length()->IsSmi());
+  RUNTIME_ASSERT(shared_array->HasFastElements())
   int array_length = Smi::cast(shared_array->length())->value();
   for (int i = 0; i < array_length; i++) {
     Handle<Object> element =
diff --git a/test/mjsunit/regress/regress-crbug-390925.js b/test/mjsunit/regress/regress-crbug-390925.js
new file mode 100644 (file)
index 0000000..24873df
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-390925.js
@@ -0,0 +1,9 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = new Array();
+Object.freeze(a);
+assertThrows(function() { %LiveEditCheckAndDropActivations(a, true); });
Domain: Web Framework / Web Engine;