Issue 184493002: A JSArray may have a filler map in the elements pointer.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 184493002: A JSArray may have a filler map in the elements pointer. (Closed)

Created:
6 years, 9 months ago by mvstanton

Modified:
6 years, 9 months ago

Reviewers:
Hannes Payer (out of office)

CC:
v8-dev

Base URL:
https://v8.googlecode.com/svn/branches/bleeding_edge

Visibility:
Public.

More Reviews

Description

A JSArray may have a filler map in the elements pointer. We already have code that expects this, but incorrectly asserted that the filler map case would never happen when allocation folding is turned on. However, even folding has it's limits, bailing out of continued folding when the object size grows too large. Therefore, it's a general problem when verifying JSArray objects, that we might encounter a filler map in elements(). Discovered by ClusterFuzz crbug 347903. R=hpayer@chromium.org LOG=N BUG=347903 Committed: https://code.google.com/p/v8/source/detail?r=19604

Patch Set 1 #

Total comments: 1

Patch Set 2 : fixin' nits. #

Created: 6 years, 9 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+22 lines, -2 lines)			Patch
	M	src/objects-debug.cc	View		1 chunk	+3 lines, -2 lines	0 comments	Download
	A	test/mjsunit/regress/regress-crbug-347903.js	View	1	1 chunk	+19 lines, -0 lines	0 comments	Download

Messages

Total messages: 2 (0 generated)

Expand Messages | Collapse Messages

Hannes Payer (out of office)

lgtm, one comment nit https://codereview.chromium.org/184493002/diff/1/test/mjsunit/regress/regress-crbug-347903.js File test/mjsunit/regress/regress-crbug-347903.js (right): https://codereview.chromium.org/184493002/diff/1/test/mjsunit/regress/regress-crbug-347903.js#newcode10 test/mjsunit/regress/regress-crbug-347903.js:10: // __v_14. fix comment, __v_14

6 years, 9 months ago (2014-02-28 12:24:21 UTC) #1

mvstanton

6 years, 9 months ago (2014-02-28 12:29:26 UTC) #2

Message was sent while issue was closed.

Committed patchset #2 manually as r19604 (tree was closed).

Expand Messages | Collapse Messages