v8: Unify kMaxArguments with number of bits used to encode it.

Increase the number of bits by 1 by making Flags unsigned. BUG=chromium:211741 Review URL: https://chromiumcodereview.appspot.com/12886008 This is a back-port of commits 13964 and 13988 addressing CVE-2013-2632.
2013-03-18 13:35:17 +00:00 · 2013-03-18 13:35:17 +00:00 · 14417fdb3f
commit 14417fdb3f
parent 628bd81afb
5 changed files with 13 additions and 14 deletions
--- a/deps/v8/src/objects-inl.h
+++ b/deps/v8/src/objects-inl.h
@ -3500,8 +3500,9 @@ Code::Flags Code::ComputeFlags(Kind kind,
         kind == CALL_IC ||
         kind == STORE_IC ||
         kind == KEYED_STORE_IC);
+  ASSERT(argc <= Code::kMaxArguments);
  // Compute the bit mask.
-  int bits = KindField::encode(kind)
+  unsigned int bits = KindField::encode(kind)
      | ICStateField::encode(ic_state)
      | TypeField::encode(type)
      | ExtraICStateField::encode(extra_ic_state)
--- a/deps/v8/src/objects.h
+++ b/deps/v8/src/objects.h
@ -4180,8 +4180,8 @@ class Code: public HeapObject {
  // FLAGS_MIN_VALUE and FLAGS_MAX_VALUE are specified to ensure that
  // enumeration type has correct value range (see Issue 830 for more details).
  enum Flags {
-    FLAGS_MIN_VALUE = kMinInt,
-    FLAGS_MAX_VALUE = kMaxInt
+    FLAGS_MIN_VALUE = 0,
+    FLAGS_MAX_VALUE = kMaxUInt32
  };

 #define CODE_KIND_LIST(V) \
@ -4644,6 +4644,9 @@ class Code: public HeapObject {
  // Signed field cannot be encoded using the BitField class.
  static const int kArgumentsCountShift = 14;
  static const int kArgumentsCountMask = ~((1 << kArgumentsCountShift) - 1);
+  static const int kArgumentsBits =
+      PlatformSmiTagging::kSmiValueSize - Code::kArgumentsCountShift + 1;
+  static const int kMaxArguments = (1 << kArgumentsBits) - 1;

  // This constant should be encodable in an ARM instruction.
  static const int kFlagsNotUsedInLookup =
--- a/deps/v8/src/parser.cc
+++ b/deps/v8/src/parser.cc
@ -4243,7 +4243,7 @@ ZoneList<Expression*>* Parser::ParseArguments(bool* ok) {
  while (!done) {
    Expression* argument = ParseAssignmentExpression(true, CHECK_OK);
    result->Add(argument, zone());
-    if (result->length() > kMaxNumFunctionParameters) {
+    if (result->length() > Code::kMaxArguments) {
      ReportMessageAt(scanner().location(), "too_many_arguments",
                      Vector<const char*>::empty());
      *ok = false;
@ -4420,7 +4420,7 @@ FunctionLiteral* Parser::ParseFunctionLiteral(Handle<String> function_name,

      top_scope_->DeclareParameter(param_name, VAR);
      num_parameters++;
-      if (num_parameters > kMaxNumFunctionParameters) {
+      if (num_parameters > Code::kMaxArguments) {
        ReportMessageAt(scanner().location(), "too_many_parameters",
                        Vector<const char*>::empty());
        *ok = false;
--- a/deps/v8/src/parser.h
+++ b/deps/v8/src/parser.h
@ -449,11 +449,6 @@ class Parser {
                       Vector<Handle<String> > args);

 private:
-  // Limit on number of function parameters is chosen arbitrarily.
-  // Code::Flags uses only the low 17 bits of num-parameters to
-  // construct a hashable id, so if more than 2^17 are allowed, this
-  // should be checked.
-  static const int kMaxNumFunctionParameters = 32766;
  static const int kMaxNumFunctionLocals = 131071;  // 2^17-1

  enum Mode {
--- a/deps/v8/src/stub-cache.cc
+++ b/deps/v8/src/stub-cache.cc
@ -617,7 +617,7 @@ Handle<Code> StubCache::ComputeCallConstant(int argc,
  Handle<Code> code =
      compiler.CompileCallConstant(object, holder, function, name, check);
  code->set_check_type(check);
-  ASSERT_EQ(flags, code->flags());
+  ASSERT(flags == code->flags());
  PROFILE(isolate_,
          CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));
  GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));
@ -655,7 +655,7 @@ Handle<Code> StubCache::ComputeCallField(int argc,
  Handle<Code> code =
      compiler.CompileCallField(Handle<JSObject>::cast(object),
                                holder, index, name);
-  ASSERT_EQ(flags, code->flags());
+  ASSERT(flags == code->flags());
  PROFILE(isolate_,
          CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));
  GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));
@ -692,7 +692,7 @@ Handle<Code> StubCache::ComputeCallInterceptor(int argc,
  Handle<Code> code =
      compiler.CompileCallInterceptor(Handle<JSObject>::cast(object),
                                      holder, name);
-  ASSERT_EQ(flags, code->flags());
+  ASSERT(flags == code->flags());
  PROFILE(isolate(),
          CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));
  GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));
@ -721,7 +721,7 @@ Handle<Code> StubCache::ComputeCallGlobal(int argc,
  CallStubCompiler compiler(isolate(), argc, kind, extra_state, cache_holder);
  Handle<Code> code =
      compiler.CompileCallGlobal(receiver, holder, cell, function, name);
-  ASSERT_EQ(flags, code->flags());
+  ASSERT(flags == code->flags());
  PROFILE(isolate(),
          CodeCreateEvent(CALL_LOGGER_TAG(kind, CALL_IC_TAG), *code, *name));
  GDBJIT(AddCode(GDBJITInterface::CALL_IC, *name, *code));