Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1469)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 8898021: Fix crash in d8 when external array ctor hits stack overflow (Closed)

Created:
9 years ago by Jakob Kummerow
Modified:
9 years ago
Reviewers:
Rico
CC:
v8-dev
Visibility:
Public.

Description

Fix crash in d8 when external array ctor hits stack overflow BUG=100859 TEST=mjsunit/regress/regress-crbug-100859 Committed: http://code.google.com/p/v8/source/detail?r=10242

Patch Set 1 #

Total comments: 10

Patch Set 2 : addressed comments, simplified code #

Unified diffs Side-by-side diffs Delta from patch set Stats (+54 lines, -3 lines) Patch
M src/d8.cc View 1 1 chunk +15 lines, -3 lines 0 comments Download
A test/mjsunit/regress/regress-crbug-100859.js View 1 1 chunk +39 lines, -0 lines 0 comments Download

Messages

Total messages: 3 (0 generated)
Jakob Kummerow
PTAL.
9 years ago (2011-12-13 10:39:46 UTC) #1
Rico
LGTM, consider making a local TryCatch http://codereview.chromium.org/8898021/diff/1/src/d8.cc File src/d8.cc (right): http://codereview.chromium.org/8898021/diff/1/src/d8.cc#newcode299 src/d8.cc:299: if (args[0]->IsUint32()) { ...
9 years ago (2011-12-13 11:28:39 UTC) #2
Jakob Kummerow
9 years ago (2011-12-13 13:04:36 UTC) #3 
Thanks for the comments; I ended up simplifying this quite a bit. Please take
another quick look.

http://codereview.chromium.org/8898021/diff/1/src/d8.cc
File src/d8.cc (right):

http://codereview.chromium.org/8898021/diff/1/src/d8.cc#newcode299
src/d8.cc:299: if (args[0]->IsUint32()) {
On 2011/12/13 11:28:39, Rico wrote:
> Below: How about just having a local TryCatch? The functionality in isolate.cc
> should throw to the TryCatch nearest to the top of the stack

Done.

http://codereview.chromium.org/8898021/diff/1/src/d8.cc#newcode316
src/d8.cc:316: return ThrowException(String::New("Array length must be a
number."));
On 2011/12/13 11:28:39, Rico wrote:
> we already established that length is a number, so this exception seems wrong.
> Can we ever end up here?

On second thought, no, we can't. Done.

http://codereview.chromium.org/8898021/diff/1/test/mjsunit/regress/regress-cr...
File test/mjsunit/regress/regress-crbug-100859.js (right):

http://codereview.chromium.org/8898021/diff/1/test/mjsunit/regress/regress-cr...
test/mjsunit/regress/regress-crbug-100859.js:33: exception = false;
On 2011/12/13 11:28:39, Rico wrote:
> var exeception

Done. Copy-paste-error.

http://codereview.chromium.org/8898021/diff/1/test/mjsunit/regress/regress-cr...
test/mjsunit/regress/regress-crbug-100859.js:41: assertTrue(exception);
On 2011/12/13 11:28:39, Rico wrote:
> we don't really need this: exception=false => we should have hit
> assertUnreachable

Right. Done.

http://codereview.chromium.org/8898021/diff/1/test/mjsunit/regress/regress-cr...
test/mjsunit/regress/regress-crbug-100859.js:48: var exception = false;
On 2011/12/13 11:28:39, Rico wrote:
> not var

Done.

Powered by Google App Engine
This is Rietveld 408576698