From a55fcc93ae8614095644007bba713a64048a864c Mon Sep 17 00:00:00 2001
From: binji <binji@chromium.org>
Date: Tue, 14 Jul 2015 09:17:13 -0700
Subject: [PATCH] Don't use length property when bounds checking atomics
 functions

The length property can be monkey-patched, so use the native function instead.

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1227913006

Cr-Commit-Position: refs/heads/master@{#29653}
---
 src/harmony-atomics.js                       | 18 +++++++++---------
 test/mjsunit/harmony/atomics.js              | 15 +++++++++++++++
 test/mjsunit/regress/regress-crbug-501809.js |  2 +-
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/src/harmony-atomics.js b/src/harmony-atomics.js
index e801939..b137d43 100644
--- a/src/harmony-atomics.js
+++ b/src/harmony-atomics.js
@@ -33,7 +33,7 @@ function CheckSharedIntegerTypedArray(ia) {
 function AtomicsCompareExchangeJS(sta, index, oldValue, newValue) {
   CheckSharedTypedArray(sta);
   index = $toInteger(index);
-  if (index < 0 || index >= sta.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(sta)) {
     return UNDEFINED;
   }
   oldValue = $toNumber(oldValue);
@@ -44,7 +44,7 @@ function AtomicsCompareExchangeJS(sta, index, oldValue, newValue) {
 function AtomicsLoadJS(sta, index) {
   CheckSharedTypedArray(sta);
   index = $toInteger(index);
-  if (index < 0 || index >= sta.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(sta)) {
     return UNDEFINED;
   }
   return %_AtomicsLoad(sta, index);
@@ -53,7 +53,7 @@ function AtomicsLoadJS(sta, index) {
 function AtomicsStoreJS(sta, index, value) {
   CheckSharedTypedArray(sta);
   index = $toInteger(index);
-  if (index < 0 || index >= sta.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(sta)) {
     return UNDEFINED;
   }
   value = $toNumber(value);
@@ -63,7 +63,7 @@ function AtomicsStoreJS(sta, index, value) {
 function AtomicsAddJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   value = $toNumber(value);
@@ -73,7 +73,7 @@ function AtomicsAddJS(ia, index, value) {
 function AtomicsSubJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   value = $toNumber(value);
@@ -83,7 +83,7 @@ function AtomicsSubJS(ia, index, value) {
 function AtomicsAndJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   value = $toNumber(value);
@@ -93,7 +93,7 @@ function AtomicsAndJS(ia, index, value) {
 function AtomicsOrJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   value = $toNumber(value);
@@ -103,7 +103,7 @@ function AtomicsOrJS(ia, index, value) {
 function AtomicsXorJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   value = $toNumber(value);
@@ -113,7 +113,7 @@ function AtomicsXorJS(ia, index, value) {
 function AtomicsExchangeJS(ia, index, value) {
   CheckSharedIntegerTypedArray(ia);
   index = $toInteger(index);
-  if (index < 0 || index >= ia.length) {
+  if (index < 0 || index >= %_TypedArrayGetLength(ia)) {
     return UNDEFINED;
   }
   value = $toNumber(value);
diff --git a/test/mjsunit/harmony/atomics.js b/test/mjsunit/harmony/atomics.js
index 09344a1..bff9f95 100644
--- a/test/mjsunit/harmony/atomics.js
+++ b/test/mjsunit/harmony/atomics.js
@@ -123,6 +123,21 @@ function testAtomicOp(op, ia, index, expectedIndex, name) {
     assertEquals(undefined, Atomics.xor(si32a, i, 0), name);
     assertEquals(undefined, Atomics.exchange(si32a, i, 0), name);
   });
+
+  // Monkey-patch length and make sure these functions still return undefined.
+  Object.defineProperty(si32a, 'length', {get: function() { return 1000; }});
+  [2, 100].forEach(function(i) {
+    var name = String(i);
+    assertEquals(undefined, Atomics.compareExchange(si32a, i, 0, 0), name);
+    assertEquals(undefined, Atomics.load(si32a, i), name);
+    assertEquals(undefined, Atomics.store(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.add(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.sub(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.and(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.or(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.xor(si32a, i, 0), name);
+    assertEquals(undefined, Atomics.exchange(si32a, i, 0), name);
+  });
 })();
 
 (function TestGoodIndex() {
diff --git a/test/mjsunit/regress/regress-crbug-501809.js b/test/mjsunit/regress/regress-crbug-501809.js
index b348e5d..c3abadf 100644
--- a/test/mjsunit/regress/regress-crbug-501809.js
+++ b/test/mjsunit/regress/regress-crbug-501809.js
@@ -6,4 +6,4 @@
 var sab = new SharedArrayBuffer(8);
 var ta = new Int32Array(sab);
 ta.__defineSetter__('length', function() {;});
-assertThrows(function() { Atomics.compareExchange(ta, 4294967295, 0, 0); });
+Atomics.compareExchange(ta, 4294967295, 0, 0);
-- 
2.7.4