Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(188)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/ia32/macro-assembler-ia32.cc

Issue 11931037: Out of bounds memory access in TestJSArrayForAllocationSiteInfo. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Comments from Ulan Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « src/arm/macro-assembler-arm.cc ('k') | src/mips/macro-assembler-mips.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 3037 matching lines...) Expand 10 before | Expand all | Expand 10 after
3048 cmp(ecx, isolate()->factory()->null_value()); 3048 cmp(ecx, isolate()->factory()->null_value());
3049 j(not_equal, &next); 3049 j(not_equal, &next);
3050 } 3050 }
3051 3051
3052 3052
3053 void MacroAssembler::TestJSArrayForAllocationSiteInfo( 3053 void MacroAssembler::TestJSArrayForAllocationSiteInfo(
3054 Register receiver_reg, 3054 Register receiver_reg,
3055 Register scratch_reg, 3055 Register scratch_reg,
3056 Label* allocation_info_present) { 3056 Label* allocation_info_present) {
3057 Label no_info_available; 3057 Label no_info_available;
3058
3058 ExternalReference new_space_start = 3059 ExternalReference new_space_start =
3059 ExternalReference::new_space_start(isolate()); 3060 ExternalReference::new_space_start(isolate());
3060 ExternalReference new_space_allocation_top = 3061 ExternalReference new_space_allocation_top =
3061 ExternalReference::new_space_allocation_top_address(isolate()); 3062 ExternalReference::new_space_allocation_top_address(isolate());
3062 3063
3063 lea(scratch_reg, Operand(receiver_reg, 3064 lea(scratch_reg, Operand(receiver_reg,
3064 JSArray::kSize + AllocationSiteInfo::kSize)); 3065 JSArray::kSize + AllocationSiteInfo::kSize - kHeapObjectTag));
3065 cmp(scratch_reg, Immediate(new_space_start)); 3066 cmp(scratch_reg, Immediate(new_space_start));
3066 j(less, &no_info_available); 3067 j(less, &no_info_available);
3067 cmp(scratch_reg, Operand::StaticVariable(new_space_allocation_top)); 3068 cmp(scratch_reg, Operand::StaticVariable(new_space_allocation_top));
3068 j(greater_equal, &no_info_available); 3069 j(greater, &no_info_available);
3069 cmp(MemOperand(scratch_reg, 0), 3070 cmp(MemOperand(scratch_reg, -AllocationSiteInfo::kSize),
3070 Immediate(Handle<Map>(isolate()->heap()->allocation_site_info_map()))); 3071 Immediate(Handle<Map>(isolate()->heap()->allocation_site_info_map())));
3071 j(equal, allocation_info_present); 3072 j(equal, allocation_info_present);
3072 bind(&no_info_available); 3073 bind(&no_info_available);
3073 } 3074 }
3074 3075
3075 3076
3076 } } // namespace v8::internal 3077 } } // namespace v8::internal
3077 3078
3078 #endif // V8_TARGET_ARCH_IA32 3079 #endif // V8_TARGET_ARCH_IA32
OLDNEW
« no previous file with comments | « src/arm/macro-assembler-arm.cc ('k') | src/mips/macro-assembler-mips.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698