Use large count in the boundFunction call

akroshg · akroshg · commit 2eccf56501ec · 2018-05-30T16:12:32.000-07:00
We can get large count in the boundfunction new instance. We should be using the large count variant API to get the count (OS#17406027)
diff --git a/lib/Runtime/Library/BoundFunction.cpp b/lib/Runtime/Library/BoundFunction.cpp
@@ -177,12 +177,13 @@ namespace Js
             // OACR thinks that this can change between here and the check in the for loop below
             const unsigned int argCount = args.Info.Count;
 
-            if ((boundFunction->count + args.GetArgCountWithExtraArgs()) > CallInfo::kMaxCountArgs)
+            uint32 newArgCount = UInt32Math::Add(boundFunction->count, args.GetLargeArgCountWithExtraArgs());
+            if (newArgCount > CallInfo::kMaxCountArgs)
             {
                 JavascriptError::ThrowRangeError(scriptContext, JSERR_ArgListTooLarge);
             }
 
-            Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), boundFunction->count + args.GetArgCountWithExtraArgs());
+            Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), newArgCount);
 
             uint index = 0;
 
@@ -218,7 +219,7 @@ namespace Js
             actualArgs = Arguments(args.Info, unsafe_write_barrier_cast<Var*>(newValues));
             actualArgs.Info.Count = boundFunction->count + argCount;
 
-            Assert(index == actualArgs.GetArgCountWithExtraArgs());
+            Assert(index == actualArgs.GetLargeArgCountWithExtraArgs());
         }
         else
         {
diff --git a/test/Bugs/misc_bugs.js b/test/Bugs/misc_bugs.js
@@ -130,6 +130,12 @@ var tests = [
         function foo() {}
         Reflect.construct(foo, new Array(2**16-2));
       } catch(e) { }
+
+      try {
+        function foo() {}
+        var bar = foo.bind({}, 1);
+        new bar(...(new Array(2**16+1)))
+      } catch(e) { }
     }
   }
   

Original file line number	Diff line number	Diff line change
`@@ -177,12 +177,13 @@ namespace Js`
`177`	`177`	`// OACR thinks that this can change between here and the check in the for loop below`
`178`	`178`	`const unsigned int argCount = args.Info.Count;`
`179`	`179`
`180`		`- if ((boundFunction->count + args.GetArgCountWithExtraArgs()) > CallInfo::kMaxCountArgs)`
	`180`	`+ uint32 newArgCount = UInt32Math::Add(boundFunction->count, args.GetLargeArgCountWithExtraArgs());`
	`181`	`+ if (newArgCount > CallInfo::kMaxCountArgs)`
`181`	`182`	`{`
`182`	`183`	`JavascriptError::ThrowRangeError(scriptContext, JSERR_ArgListTooLarge);`
`183`	`184`	`}`
`184`	`185`
`185`		`- Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), boundFunction->count + args.GetArgCountWithExtraArgs());`
	`186`	`+ Field(Var) *newValues = RecyclerNewArray(scriptContext->GetRecycler(), Field(Var), newArgCount);`
`186`	`187`
`187`	`188`	`uint index = 0;`
`188`	`189`
`@@ -218,7 +219,7 @@ namespace Js`
`218`	`219`	`actualArgs = Arguments(args.Info, unsafe_write_barrier_cast<Var*>(newValues));`
`219`	`220`	`actualArgs.Info.Count = boundFunction->count + argCount;`
`220`	`221`
`221`		`- Assert(index == actualArgs.GetArgCountWithExtraArgs());`
	`222`	`+ Assert(index == actualArgs.GetLargeArgCountWithExtraArgs());`
`222`	`223`	`}`
`223`	`224`	`else`
`224`	`225`	`{`
Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,12 @@ var tests = [`
`130`	`130`	`function foo() {}`
`131`	`131`	`Reflect.construct(foo, new Array(2**16-2));`
`132`	`132`	`} catch(e) { }`
	`133`	`+`
	`134`	`+ try {`
	`135`	`+ function foo() {}`
	`136`	`+ var bar = foo.bind({}, 1);`
	`137`	`+ new bar(...(new Array(2**16+1)))`
	`138`	`+ } catch(e) { }`
`133`	`139`	`}`
`134`	`140`	`}`
`135`	`141`