Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(245)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 11931037: Out of bounds memory access in TestJSArrayForAllocationSiteInfo. (Closed)

Created:
7 years, 11 months ago by mvstanton
Modified:
7 years, 11 months ago
CC:
v8-dev
Visibility:
Public.

Description

Out of bounds memory access in TestJSArrayForAllocationSiteInfo. The function intended to check the map pointer of an AllocationSiteInfo object, but neglected to subtract an offset to do so. BUG=169928 Committed: https://code.google.com/p/v8/source/detail?r=13444

Patch Set 1 #

Patch Set 2 : Removed trailing whitespace #

Patch Set 3 : Object heap tagging, and regression test (sort of) #

Patch Set 4 : Accidentally removed a line on arm, and spacing. #

Patch Set 5 : Can be more efficient with instructions #

Patch Set 6 : Updated other platform conditional test to match change in ia32 #

Total comments: 1

Patch Set 7 : Made regression test #

Patch Set 8 : Removed temporary change in ia32 macro assembler #

Total comments: 10

Patch Set 9 : Responded to Michael's comments, thx #

Total comments: 2

Patch Set 10 : Comments from Ulan #

Unified diffs Side-by-side diffs Delta from patch set Stats (+115 lines, -18 lines) Patch
M src/arm/macro-assembler-arm.cc View 1 2 3 4 5 1 chunk +3 lines, -3 lines 0 comments Download
M src/ia32/macro-assembler-ia32.cc View 1 2 3 4 5 6 7 1 chunk +4 lines, -3 lines 0 comments Download
M src/mips/macro-assembler-mips.cc View 1 2 3 4 5 1 chunk +3 lines, -3 lines 0 comments Download
M src/x64/macro-assembler-x64.cc View 1 2 3 4 5 1 chunk +3 lines, -3 lines 0 comments Download
M test/cctest/test-heap.cc View 1 2 3 4 5 6 7 8 9 1 chunk +84 lines, -0 lines 0 comments Download
M test/mjsunit/allocation-site-info.js View 1 2 3 4 5 6 7 1 chunk +18 lines, -6 lines 0 comments Download

Messages

Total messages: 7 (0 generated)
mvstanton
Hi guys, here is the fix. The regression test just makes sure to go down ...
7 years, 11 months ago (2013-01-17 16:19:32 UTC) #1
mvstanton
Okay, here is the fix with a regression test: 1) the golem run had no ...
7 years, 11 months ago (2013-01-18 15:59:34 UTC) #2
Michael Starzinger
Drive-by-comments on the regression test. https://chromiumcodereview.appspot.com/11931037/diff/14001/test/cctest/test-heap.cc File test/cctest/test-heap.cc (right): https://chromiumcodereview.appspot.com/11931037/diff/14001/test/cctest/test-heap.cc#newcode2749 test/cctest/test-heap.cc:2749: ASSERT(limit != *limit_addr); I ...
7 years, 11 months ago (2013-01-21 09:54:26 UTC) #3
ulan_google
LGTM https://codereview.chromium.org/11931037/diff/20001/test/cctest/test-heap.cc File test/cctest/test-heap.cc (right): https://codereview.chromium.org/11931037/diff/20001/test/cctest/test-heap.cc#newcode2744 test/cctest/test-heap.cc:2744: Address* limit_addr = HEAP->new_space()->allocation_limit_address(); Now that the assertion ...
7 years, 11 months ago (2013-01-21 12:21:07 UTC) #4
mvstanton
Thanks for the comments and help! https://codereview.chromium.org/11931037/diff/14001/test/cctest/test-heap.cc File test/cctest/test-heap.cc (right): https://codereview.chromium.org/11931037/diff/14001/test/cctest/test-heap.cc#newcode2749 test/cctest/test-heap.cc:2749: ASSERT(limit != *limit_addr); ...
7 years, 11 months ago (2013-01-21 12:25:39 UTC) #5
ulan
LGTM
7 years, 11 months ago (2013-01-21 12:27:25 UTC) #6
danno
7 years, 11 months ago (2013-01-21 12:38:18 UTC) #7
Message was sent while issue was closed. 
lgtm with some nits

https://codereview.chromium.org/11931037/diff/10001/test/mjsunit/allocation-s...
File test/mjsunit/allocation-site-info.js (right):

https://codereview.chromium.org/11931037/diff/10001/test/mjsunit/allocation-s...
test/mjsunit/allocation-site-info.js:84: function get_standard_literal() {
nit: maybe just get_literal()

https://codereview.chromium.org/11931037/diff/14001/src/ia32/macro-assembler-...
File src/ia32/macro-assembler-ia32.cc (right):

https://codereview.chromium.org/11931037/diff/14001/src/ia32/macro-assembler-...
src/ia32/macro-assembler-ia32.cc:3058: 
nit: discard the whitespace change

https://codereview.chromium.org/11931037/diff/14001/test/mjsunit/allocation-s...
File test/mjsunit/allocation-site-info.js (right):

https://codereview.chromium.org/11931037/diff/14001/test/mjsunit/allocation-s...
test/mjsunit/allocation-site-info.js:78: function fastliteralcase(literal,
value) {
2 space indent for the "then" body of this function

https://codereview.chromium.org/11931037/diff/14001/test/mjsunit/allocation-s...
test/mjsunit/allocation-site-info.js:79: // var literal = [1, 2, 3];
nit: remove the commented-out line above

https://codereview.chromium.org/11931037/diff/14001/test/mjsunit/allocation-s...
test/mjsunit/allocation-site-info.js:81: return literal;
2 space indent above.

https://codereview.chromium.org/11931037/diff/14001/test/mjsunit/allocation-s...
test/mjsunit/allocation-site-info.js:85: var literal = [1, 2, 3];
2-space indent here and below

https://codereview.chromium.org/11931037/diff/14001/test/mjsunit/allocation-s...
test/mjsunit/allocation-site-info.js:115: var literal = [1, 2, 3, 4];
nit: 2-space indent here too

Powered by Google App Engine
This is Rietveld 408576698