Bug 1551128 - Limit result bit length in BigInt.asUintN on negative values r=jwalden

Differential Revision: https://phabricator.services.mozilla.com/D30874

--HG--
extra : moz-landing-system : lando

js/src/jit-test/tests/bigint/bug1551128.js

@@ -0,0 +1,6 @@
+load(libdir + "asserts.js");
+
+assertEq(BigInt.asUintN(32, -1n), 0xffffffffn);
+assertThrowsInstanceOf(() => BigInt.asUintN(2**32 - 1, -1n), RangeError);
+assertThrowsInstanceOf(() => BigInt.asUintN(2**32, -1n), RangeError);
+assertThrowsInstanceOf(() => BigInt.asUintN(2**53 - 1, -1n), RangeError);

js/src/vm/BigIntType.cpp

@@ -2244,6 +2244,12 @@ BigInt* BigInt::truncateAndSubFromPowerOfTwo(JSContext* cx, HandleBigInt x,
   MOZ_ASSERT(bits != 0);
   MOZ_ASSERT(!x->isZero());
 
+  if (bits > MaxBitLength) {
+    JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+                              JSMSG_BIGINT_TOO_LARGE);
+    return nullptr;
+  }
+
   size_t resultLength = CeilDiv(bits, DigitBits);
   RootedBigInt result(cx,
                       createUninitialized(cx, resultLength, resultNegative));

js/src/vm/BigIntType.h

@@ -204,10 +204,11 @@ class BigInt final : public js::gc::TenuredCell {
   static_assert(DigitBits == 32 || DigitBits == 64,
                 "Unexpected BigInt Digit size");
 
-  // The maximum number of digits that the current implementation supports
+  // Limit the size of bigint values to 1 million bits, to prevent excessive
-  // would be 0x7fffffff / DigitBits. However, we use a lower limit for now,
+  // memory usage.  This limit may be raised in the future if needed.  Note
-  // because raising it later is easier than lowering it.  Support up to 1
+  // however that there are many parts of the implementation that rely on being
-  // million bits.
+  // able to count and index bits using a 32-bit signed ints, so until those
+  // sites are fixed, the practical limit is 0x7fffffff bits.
   static constexpr size_t MaxBitLength = 1024 * 1024;
   static constexpr size_t MaxDigitLength = MaxBitLength / DigitBits;