Skip to content

Commit 2ebd5fc

Browse files
verwaestCommit bot
verwaest
authored and
Commit bot
committed
Fix Array.prototype.slice with arguments object with negative length.
BUG= Review URL: https://codereview.chromium.org/1436813002 Cr-Commit-Position: refs/heads/master@{#31941}
1 parent 673baa3 commit 2ebd5fc

2 files changed

Lines changed: 15 additions & 11 deletions

File tree

src/builtins.cc

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -197,16 +197,12 @@ inline bool ClampedToInteger(Object* object, int* out) {
197197

198198
inline bool GetSloppyArgumentsLength(Isolate* isolate, Handle<JSObject> object,
199199
int* out) {
200-
Map* arguments_map =
201-
isolate->context()->native_context()->sloppy_arguments_map();
202-
if (object->map() != arguments_map || !object->HasFastElements()) {
203-
return false;
204-
}
200+
Map* arguments_map = isolate->native_context()->sloppy_arguments_map();
201+
if (object->map() != arguments_map) return false;
202+
DCHECK(object->HasFastElements());
205203
Object* len_obj = object->InObjectPropertyAt(Heap::kArgumentsLengthIndex);
206-
if (!len_obj->IsSmi()) {
207-
return false;
208-
}
209-
*out = Smi::cast(len_obj)->value();
204+
if (!len_obj->IsSmi()) return false;
205+
*out = Max(0, Smi::cast(len_obj)->value());
210206
return *out <= object->elements()->length();
211207
}
212208

@@ -993,11 +989,11 @@ bool IterateElements(Isolate* isolate, Handle<JSObject> receiver,
993989
uint32_t length = 0;
994990

995991
if (receiver->IsJSArray()) {
996-
Handle<JSArray> array(Handle<JSArray>::cast(receiver));
992+
Handle<JSArray> array = Handle<JSArray>::cast(receiver);
997993
length = static_cast<uint32_t>(array->length()->Number());
998994
} else {
999995
Handle<Object> val;
1000-
Handle<Object> key(isolate->heap()->length_string(), isolate);
996+
Handle<Object> key = isolate->factory()->length_string();
1001997
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
1002998
isolate, val, Runtime::GetObjectProperty(isolate, receiver, key),
1003999
false);

test/mjsunit/regress/regress-arguments-slice.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
// Copyright 2015 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
function f() { return arguments; }
6+
var o = f();
7+
o.length = -100;
8+
Array.prototype.slice.call(o);

0 commit comments

Comments
 (0)