From 4b8c7186d170641fad9baa9d4bfbea15fd26c6f7 Mon Sep 17 00:00:00 2001 From: Paul Leathers Date: Tue, 18 Jun 2019 03:00:56 -0700 Subject: [PATCH] deps: update ChakraCore to Microsoft/ChakraCore@ba1f4455f9 [MERGE #6167 @pleath] Fail on unexpected missing item constant in an array head segment during native array conversion Merge pull request #6167 from pleath:arrayfail Reviewed-By: chakrabot --- .../core/lib/Runtime/Library/JavascriptArray.cpp | 5 +++++ .../core/lib/Runtime/Library/SparseArraySegment.inl | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp b/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp index e05f2313551..926d9b637df 100644 --- a/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp +++ b/deps/chakrashim/core/lib/Runtime/Library/JavascriptArray.cpp @@ -9,6 +9,7 @@ // TODO: Change this generic fatal error to the descriptive one. #define AssertAndFailFast(x) if (!(x)) { Assert(x); Js::Throw::FatalInternalError(); } +#define AssertMsgAndFailFast(x, m) if (!(x)) { AssertMsg((x), m); Js::Throw::FatalInternalError(); } using namespace Js; @@ -1758,6 +1759,7 @@ using namespace Js; ival = ((SparseArraySegment*)seg)->elements[i /*+ seg->length*/]; if (ival == JavascriptNativeIntArray::MissingItem) { + AssertMsgAndFailFast(newSeg != intArray->head || !intArray->HasNoMissingValues(), "Unexpected missing item during array conversion"); continue; } newSeg->elements[i] = (double)ival; @@ -2025,6 +2027,7 @@ using namespace Js; ival = ((SparseArraySegment*)seg)->elements[i]; if (ival == JavascriptNativeIntArray::MissingItem) { + AssertMsgAndFailFast(seg != intArray->head || !intArray->HasNoMissingValues(), "Unexpected missing item during array conversion"); continue; } newSeg->elements[i] = JavascriptNumber::ToVar(ival, scriptContext); @@ -2059,6 +2062,7 @@ using namespace Js; ival = ((SparseArraySegment*)seg)->elements[i]; if (ival == JavascriptNativeIntArray::MissingItem) { + AssertMsgAndFailFast(seg != intArray->head || !intArray->HasNoMissingValues(), "Unexpected missing item during array conversion"); ((SparseArraySegment*)seg)->elements[i] = (Var)JavascriptArray::MissingItem; } else @@ -2238,6 +2242,7 @@ using namespace Js; { if (SparseArraySegment::IsMissingItem(&((SparseArraySegment*)seg)->elements[i])) { + AssertMsgAndFailFast(seg != fArray->head || !fArray->HasNoMissingValues(), "Unexpected missing item during conversion"); if (seg == newSeg) { newSeg->elements[i] = (Var)JavascriptArray::MissingItem; diff --git a/deps/chakrashim/core/lib/Runtime/Library/SparseArraySegment.inl b/deps/chakrashim/core/lib/Runtime/Library/SparseArraySegment.inl index 8e0f1515db1..81c9a709290 100644 --- a/deps/chakrashim/core/lib/Runtime/Library/SparseArraySegment.inl +++ b/deps/chakrashim/core/lib/Runtime/Library/SparseArraySegment.inl @@ -268,7 +268,12 @@ namespace Js Assert(sizeof(T) % sizeof(Var) == 0); uint step = sizeof(T) / sizeof(Var); - for (uint i = start; i < size * step; i++) + // We're filling [length...size-1] based on the element size. If this is going to be a float segment on 32-bit, + // only fill past the point where the float elements will reside. Size * step has to be a 32-bit number. + start *= step; + size *= step; + + for (uint i = start; i < size; i++) { ((Var*)(this->elements))[i] = fill; // swb: no write barrier, set to non-GC pointer }