From: jkummerow@chromium.org Date: Mon, 12 May 2014 15:30:00 +0000 (+0000) Subject: Harden more runtime functions X-Git-Tag: upstream/4.7.83~9157 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a3a56420973b97e877ae14d1883c600c39c83cfc;p=platform%2Fupstream%2Fv8.git Harden more runtime functions BUG=chromium:372239 LOG=n R=jarin@chromium.org Review URL: https://codereview.chromium.org/282493005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21271 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/hydrogen.cc b/src/hydrogen.cc index ba0fcab31..eea23c1a5 100644 --- a/src/hydrogen.cc +++ b/src/hydrogen.cc @@ -8889,10 +8889,20 @@ void HOptimizedGraphBuilder::GenerateTypedArrayInitialize( CHECK_ALIVE(VisitForValue(arguments->at(kObjectArg))); HValue* obj = Pop(); - ASSERT(arguments->at(kArrayIdArg)->node_type() == AstNode::kLiteral); + if (arguments->at(kArrayIdArg)->node_type() != AstNode::kLiteral) { + // This should never happen in real use, but can happen when fuzzing. + // Just bail out. + Bailout(kNeedSmiLiteral); + return; + } Handle value = static_cast(arguments->at(kArrayIdArg))->value(); - ASSERT(value->IsSmi()); + if (!value->IsSmi()) { + // This should never happen in real use, but can happen when fuzzing. + // Just bail out. + Bailout(kNeedSmiLiteral); + return; + } int array_id = Smi::cast(*value)->value(); HValue* buffer; diff --git a/src/objects-inl.h b/src/objects-inl.h index b19f5f3f5..6c2b5e2c5 100644 --- a/src/objects-inl.h +++ b/src/objects-inl.h @@ -5125,7 +5125,7 @@ SMI_ACCESSORS(SharedFunctionInfo, profiler_ticks, kProfilerTicksOffset) void holder::set_##name(int value) { \ ASSERT(kHeapObjectTag == 1); \ ASSERT((value & 0xC0000000) == 0xC0000000 || \ - (value & 0xC0000000) == 0x000000000); \ + (value & 0xC0000000) == 0x0); \ WRITE_INT_FIELD(this, \ offset, \ (value << 1) & ~kHeapObjectTag); \ diff --git a/src/objects.h b/src/objects.h index fa399000b..d642e1e7d 100644 --- a/src/objects.h +++ b/src/objects.h @@ -1166,6 +1166,7 @@ template inline bool Is(Object* obj); V(kModuleVariable, "Module variable") \ V(kModuleUrl, "Module url") \ V(kNativeFunctionLiteral, "Native function literal") \ + V(kNeedSmiLiteral, "Need a Smi literal here") \ V(kNoCasesLeft, "No cases left") \ V(kNoEmptyArraysHereInEmitFastAsciiArrayJoin, \ "No empty arrays here in EmitFastAsciiArrayJoin") \ diff --git a/src/runtime.cc b/src/runtime.cc index abe9509a7..a63fd65d4 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -3030,6 +3030,8 @@ RUNTIME_FUNCTION(Runtime_FunctionSetLength) { CONVERT_ARG_CHECKED(JSFunction, fun, 0); CONVERT_SMI_ARG_CHECKED(length, 1); + RUNTIME_ASSERT((length & 0xC0000000) == 0xC0000000 || + (length & 0xC0000000) == 0x0); fun->shared()->set_length(length); return isolate->heap()->undefined_value(); } @@ -4882,6 +4884,7 @@ RUNTIME_FUNCTION(Runtime_NumberToFixed) { int f = FastD2IChecked(f_number); // See DoubleToFixedCString for these constants: RUNTIME_ASSERT(f >= 0 && f <= 20); + RUNTIME_ASSERT(!Double(value).IsSpecial()); char* str = DoubleToFixedCString(value, f); Handle result = isolate->factory()->NewStringFromAsciiChecked(str); DeleteArray(str); @@ -4897,6 +4900,7 @@ RUNTIME_FUNCTION(Runtime_NumberToExponential) { CONVERT_DOUBLE_ARG_CHECKED(f_number, 1); int f = FastD2IChecked(f_number); RUNTIME_ASSERT(f >= -1 && f <= 20); + RUNTIME_ASSERT(!Double(value).IsSpecial()); char* str = DoubleToExponentialCString(value, f); Handle result = isolate->factory()->NewStringFromAsciiChecked(str); DeleteArray(str); @@ -4912,6 +4916,7 @@ RUNTIME_FUNCTION(Runtime_NumberToPrecision) { CONVERT_DOUBLE_ARG_CHECKED(f_number, 1); int f = FastD2IChecked(f_number); RUNTIME_ASSERT(f >= 1 && f <= 21); + RUNTIME_ASSERT(!Double(value).IsSpecial()); char* str = DoubleToPrecisionCString(value, f); Handle result = isolate->factory()->NewStringFromAsciiChecked(str); DeleteArray(str);