Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(101)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/zone.cc

Issue 1930873002: Fix overflow issue in Zone::New (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: windows likes casts Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/zone.h" 5 #include "src/zone.h"
6 6
7 #include <cstring> 7 #include <cstring>
8 8
9 #include "src/v8.h" 9 #include "src/v8.h"
10 10
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
97 if (kPointerSize == 4 && kAlignment == 4) { 97 if (kPointerSize == 4 && kAlignment == 4) {
98 position_ += ((~size) & 4) & (reinterpret_cast<intptr_t>(position_) & 4); 98 position_ += ((~size) & 4) & (reinterpret_cast<intptr_t>(position_) & 4);
99 } else { 99 } else {
100 DCHECK(kAlignment >= kPointerSize); 100 DCHECK(kAlignment >= kPointerSize);
101 } 101 }
102 102
103 // Check if the requested size is available without expanding. 103 // Check if the requested size is available without expanding.
104 Address result = position_; 104 Address result = position_;
105 105
106 const size_t size_with_redzone = size + kASanRedzoneBytes; 106 const size_t size_with_redzone = size + kASanRedzoneBytes;
107 if (limit_ < position_ + size_with_redzone) { 107 const uintptr_t limit = reinterpret_cast<uintptr_t>(limit_);
108 const uintptr_t position = reinterpret_cast<uintptr_t>(position_);
109 // position_ > limit_ can be true after the alignment correction above.
110 if (limit < position || size_with_redzone > limit - position) {
108 result = NewExpand(size_with_redzone); 111 result = NewExpand(size_with_redzone);
109 } else { 112 } else {
110 position_ += size_with_redzone; 113 position_ += size_with_redzone;
111 } 114 }
112 115
113 Address redzone_position = result + size; 116 Address redzone_position = result + size;
114 DCHECK(redzone_position + kASanRedzoneBytes == position_); 117 DCHECK(redzone_position + kASanRedzoneBytes == position_);
115 ASAN_POISON_MEMORY_REGION(redzone_position, kASanRedzoneBytes); 118 ASAN_POISON_MEMORY_REGION(redzone_position, kASanRedzoneBytes);
116 119
117 // Check that the result has the proper alignment and return it. 120 // Check that the result has the proper alignment and return it.
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after
214 void Zone::DeleteSegment(Segment* segment, size_t size) { 217 void Zone::DeleteSegment(Segment* segment, size_t size) {
215 segment_bytes_allocated_ -= size; 218 segment_bytes_allocated_ -= size;
216 allocator_->Free(segment, size); 219 allocator_->Free(segment, size);
217 } 220 }
218 221
219 222
220 Address Zone::NewExpand(size_t size) { 223 Address Zone::NewExpand(size_t size) {
221 // Make sure the requested size is already properly aligned and that 224 // Make sure the requested size is already properly aligned and that
222 // there isn't enough room in the Zone to satisfy the request. 225 // there isn't enough room in the Zone to satisfy the request.
223 DCHECK_EQ(size, RoundDown(size, kAlignment)); 226 DCHECK_EQ(size, RoundDown(size, kAlignment));
224 DCHECK_LT(limit_, position_ + size); 227 DCHECK(limit_ < position_ ||
228 reinterpret_cast<uintptr_t>(limit_) -
229 reinterpret_cast<uintptr_t>(position_) <
230 size);
225 231
226 // Compute the new segment size. We use a 'high water mark' 232 // Compute the new segment size. We use a 'high water mark'
227 // strategy, where we increase the segment size every time we expand 233 // strategy, where we increase the segment size every time we expand
228 // except that we employ a maximum segment size when we delete. This 234 // except that we employ a maximum segment size when we delete. This
229 // is to avoid excessive malloc() and free() overhead. 235 // is to avoid excessive malloc() and free() overhead.
230 Segment* head = segment_head_; 236 Segment* head = segment_head_;
231 const size_t old_size = (head == nullptr) ? 0 : head->size(); 237 const size_t old_size = (head == nullptr) ? 0 : head->size();
232 static const size_t kSegmentOverhead = sizeof(Segment) + kAlignment; 238 static const size_t kSegmentOverhead = sizeof(Segment) + kAlignment;
233 const size_t new_size_no_overhead = size + (old_size << 1); 239 const size_t new_size_no_overhead = size + (old_size << 1);
234 size_t new_size = kSegmentOverhead + new_size_no_overhead; 240 size_t new_size = kSegmentOverhead + new_size_no_overhead;
(...skipping 30 matching lines...) Expand all
265 // size bytes + header and alignment padding) 271 // size bytes + header and alignment padding)
266 DCHECK(reinterpret_cast<uintptr_t>(position_) >= 272 DCHECK(reinterpret_cast<uintptr_t>(position_) >=
267 reinterpret_cast<uintptr_t>(result)); 273 reinterpret_cast<uintptr_t>(result));
268 limit_ = segment->end(); 274 limit_ = segment->end();
269 DCHECK(position_ <= limit_); 275 DCHECK(position_ <= limit_);
270 return result; 276 return result;
271 } 277 }
272 278
273 } // namespace internal 279 } // namespace internal
274 } // namespace v8 280 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698