diff options
| author | verwaest@chromium.org <verwaest@chromium.org> | 2013-03-18 13:35:17 +0000 |
|---|---|---|
| committer | Ben Noordhuis <info@bnoordhuis.nl> | 2013-03-23 17:14:28 +0100 |
| commit | 14417fdb3fe68d0c0142e16359b75e9be44b1780 (patch) | |
| tree | 3da51a2cad0027b3a4ce96dad053a406d76231f9 /deps/v8 | |
| parent | 628bd81afb73f6948524bebc2a7a30f6abaae4b1 (diff) | |
| download | node-new-14417fdb3fe68d0c0142e16359b75e9be44b1780.tar.gz | |
v8: Unify kMaxArguments with number of bits used to encode it.
Increase the number of bits by 1 by making Flags unsigned.
BUG=chromium:211741
Review URL: https://chromiumcodereview.appspot.com/12886008
This is a back-port of commits 13964 and 13988 addressing CVE-2013-2632.
Diffstat (limited to 'deps/v8')
| -rw-r--r-- | deps/v8/src/objects-inl.h | 3 | ||||
| -rw-r--r-- | deps/v8/src/objects.h | 7 | ||||
| -rw-r--r-- | deps/v8/src/parser.cc | 4 | ||||
| -rw-r--r-- | deps/v8/src/parser.h | 5 | ||||
| -rw-r--r-- | deps/v8/src/stub-cache.cc | 8 |
5 files changed, 13 insertions, 14 deletions
diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h index ea5a93f16b..4834fa63a4 100644 --- a/deps/v8/src/objects-inl.h +++ b/deps/v8/src/objects-inl.h @@ -3500,8 +3500,9 @@ Code::Flags Code::ComputeFlags(Kind kind, kind == CALL_IC || kind == STORE_IC || kind == KEYED_STORE_IC); + ASSERT(argc <= Code::kMaxArguments); // Compute the bit mask. - int bits = KindField::encode(kind) + unsigned int bits = KindField::encode(kind) | ICStateField::encode(ic_state) | TypeField::encode(type) | ExtraICStateField::encode(extra_ic_state) diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h index 755dd42d9e..47d775781b 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -4180,8 +4180,8 @@ class Code: public HeapObject { // FLAGS_MIN_VALUE and FLAGS_MAX_VALUE are specified to ensure that // enumeration type has correct value range (see Issue 830 for more details). enum Flags { - FLAGS_MIN_VALUE = kMinInt, - FLAGS_MAX_VALUE = kMaxInt + FLAGS_MIN_VALUE = 0, + FLAGS_MAX_VALUE = kMaxUInt32 }; #define CODE_KIND_LIST(V) \ @@ -4644,6 +4644,9 @@ class Code: public HeapObject { // Signed field cannot be encoded using the BitField class. static const int kArgumentsCountShift = 14; static const int kArgumentsCountMask = ~((1 << kArgumentsCountShift) - 1); + static const int kArgumentsBits = + PlatformSmiTagging::kSmiValueSize - Code::kArgumentsCountShift + 1; + static const int kMaxArguments = (1 << kArgumentsBits) - 1; // This constant should be encodable in an ARM instruction. static const int kFlagsNotUsedInLookup = diff --git a/deps/v8/src/parser.cc b/deps/v8/src/parser.cc index 03e4b039cc..6da414af93 100644 --- a/deps/v8/src/parser.cc +++ b/deps/v8/src/parser.cc @@ -4243,7 +4243,7 @@ ZoneList<Expression*>* Parser::ParseArguments(bool* ok) { while (!done) { Expression* argument = ParseAssignmentExpression(true, CHECK_OK); result->Add(argument, zone()); - if (result->length() > kMaxNumFunctionParameters) { + if (result->length() > Code::kMaxArguments) { ReportMessageAt(scanner().location(), "too_many_arguments", Vector<const char*>::empty()); *ok = false; @@ -4420,7 +4420,7 @@ FunctionLiteral* Parser::ParseFunctionLiteral(Handle<String> function_name, top_scope_->DeclareParameter(param_name, VAR); num_parameters++; - if (num_parameters > kMaxNumFunctionParameters) { + if (num_parameters > Code::kMaxArguments) { ReportMessageAt(scanner().location(), "too_many_parameters", Vector<const char*>::empty()); *ok = false; diff --git a/deps/v8/src/parser.h b/deps/v8/src/parser.h index 93fd1b8aa9..e36a9b3dca 100644 --- a/deps/v8/src/parser.h +++ b/deps/v8/src/parser.h @@ -449,11 +449,6 @@ class Parser { Vector<Handle<String> > args); private: - // Limit on number of function parameters is chosen arbitrarily. - // Code::Flags uses only the low 17 bits of num-parameters to - // construct a hashable id, so if more than 2^17 are allowed, this - // should be checked. - static const int kMaxNumFunctionParameters = 32766; static const int kMaxNumFunctionLocals = 131071; // 2^17-1 enum Mode { diff --git a/deps/v8/src/stub-cache.cc b/deps/v8/src/stub-cache.cc index 411914719c..8490c7e748 100644 --- a/deps/v8/src/stub-cache.cc +++ b/deps/v8/src/stub-cache.cc @@ -617,7 +617,7 @@ Handle<Code> StubCache::ComputeCallConstant(int argc, Handle<Code> code = compiler.CompileCallConstant(object, holder, function, name, check); code->set_check_type(check); - ASSERT_EQ(flags, code->flags()); + ASSERT(flags == code->flags()); PROFILE(isolate_, CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name)); GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code)); @@ -655,7 +655,7 @@ Handle<Code> StubCache::ComputeCallField(int argc, Handle<Code> code = compiler.CompileCallField(Handle<JSObject>::cast(object), holder, index, name); - ASSERT_EQ(flags, code->flags()); + ASSERT(flags == code->flags()); PROFILE(isolate_, CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name)); GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code)); @@ -692,7 +692,7 @@ Handle<Code> StubCache::ComputeCallInterceptor(int argc, Handle<Code> code = compiler.CompileCallInterceptor(Handle<JSObject>::cast(object), holder, name); - ASSERT_EQ(flags, code->flags()); + ASSERT(flags == code->flags()); PROFILE(isolate(), CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name)); GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code)); @@ -721,7 +721,7 @@ Handle<Code> StubCache::ComputeCallGlobal(int argc, CallStubCompiler compiler(isolate(), argc, kind, extra_state, cache_holder); Handle<Code> code = compiler.CompileCallGlobal(receiver, holder, cell, function, name); - ASSERT_EQ(flags, code->flags()); + ASSERT(flags == code->flags()); PROFILE(isolate(), CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name)); GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code)); |