Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/objects.h

Issue 275016: Fix overflow in failure "requested size" field. (Closed)
Patch Set: Created 11 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | src/objects.cc » ('j') | src/string-stream.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2006-2009 the V8 project authors. All rights reserved. 1 // Copyright 2006-2009 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 930 matching lines...) Expand 10 before | Expand all | Expand 10 after
941 DISALLOW_IMPLICIT_CONSTRUCTORS(Smi); 941 DISALLOW_IMPLICIT_CONSTRUCTORS(Smi);
942 }; 942 };
943 943
944 944
945 // Failure is used for reporting out of memory situations and 945 // Failure is used for reporting out of memory situations and
946 // propagating exceptions through the runtime system. Failure objects 946 // propagating exceptions through the runtime system. Failure objects
947 // are transient and cannot occur as part of the object graph. 947 // are transient and cannot occur as part of the object graph.
948 // 948 //
949 // Failures are a single word, encoded as follows: 949 // Failures are a single word, encoded as follows:
950 // +-------------------------+---+--+--+ 950 // +-------------------------+---+--+--+
951 // |rrrrrrrrrrrrrrrrrrrrrrrrr|sss|tt|11| 951 // |...rrrrrrrrrrrrrrrrrrrrrr|sss|tt|11|
952 // +-------------------------+---+--+--+ 952 // +-------------------------+---+--+--+
953 // 3 7 6 4 32 10 953 // 7 6 4 32 10
954 // 1 954 //
955 // 955 //
956 // The low two bits, 0-1, are the failure tag, 11. The next two bits, 956 // The low two bits, 0-1, are the failure tag, 11. The next two bits,
957 // 2-3, are a failure type tag 'tt' with possible values: 957 // 2-3, are a failure type tag 'tt' with possible values:
958 // 00 RETRY_AFTER_GC 958 // 00 RETRY_AFTER_GC
959 // 01 EXCEPTION 959 // 01 EXCEPTION
960 // 10 INTERNAL_ERROR 960 // 10 INTERNAL_ERROR
961 // 11 OUT_OF_MEMORY_EXCEPTION 961 // 11 OUT_OF_MEMORY_EXCEPTION
962 // 962 //
963 // The next three bits, 4-6, are an allocation space tag 'sss'. The 963 // The next three bits, 4-6, are an allocation space tag 'sss'. The
964 // allocation space tag is 000 for all failure types except 964 // allocation space tag is 000 for all failure types except
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after
1006 static inline Failure* cast(Object* object); 1006 static inline Failure* cast(Object* object);
1007 1007
1008 // Dispatched behavior. 1008 // Dispatched behavior.
1009 void FailurePrint(); 1009 void FailurePrint();
1010 void FailurePrint(StringStream* accumulator); 1010 void FailurePrint(StringStream* accumulator);
1011 #ifdef DEBUG 1011 #ifdef DEBUG
1012 void FailureVerify(); 1012 void FailureVerify();
1013 #endif 1013 #endif
1014 1014
1015 private: 1015 private:
1016 inline int value() const; 1016 inline intptr_t value() const;
1017 static inline Failure* Construct(Type type, int value = 0); 1017 static inline Failure* Construct(Type type, intptr_t value = 0);
1018 1018
1019 DISALLOW_IMPLICIT_CONSTRUCTORS(Failure); 1019 DISALLOW_IMPLICIT_CONSTRUCTORS(Failure);
1020 }; 1020 };
1021 1021
1022 1022
1023 // Heap objects typically have a map pointer in their first word. However, 1023 // Heap objects typically have a map pointer in their first word. However,
1024 // during GC other data (eg, mark bits, forwarding addresses) is sometimes 1024 // during GC other data (eg, mark bits, forwarding addresses) is sometimes
1025 // encoded in the first word. The class MapWord is an abstraction of the 1025 // encoded in the first word. The class MapWord is an abstraction of the
1026 // value in a heap object's first word. 1026 // value in a heap object's first word.
1027 class MapWord BASE_EMBEDDED { 1027 class MapWord BASE_EMBEDDED {
(...skipping 3861 matching lines...) Expand 10 before | Expand all | Expand 10 after
4889 } else { 4889 } else {
4890 value &= ~(1 << bit_position); 4890 value &= ~(1 << bit_position);
4891 } 4891 }
4892 return value; 4892 return value;
4893 } 4893 }
4894 }; 4894 };
4895 4895
4896 } } // namespace v8::internal 4896 } } // namespace v8::internal
4897 4897
4898 #endif // V8_OBJECTS_H_ 4898 #endif // V8_OBJECTS_H_
OLDNEW
« no previous file with comments | « no previous file | src/objects.cc » ('j') | src/string-stream.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698