Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(214)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2454513003: Revert of [compiler] Properly validate stable map assumption for globals. (Closed)

Created:
4 years, 1 month ago by Benedikt Meurer
Modified:
4 years, 1 month ago
Reviewers:
Yang
CC:
v8-reviews_googlegroups.com
Target Ref:
refs/pending/heads/master
Project:
v8
Visibility:
Public.

Description

Revert of [compiler] Properly validate stable map assumption for globals. (patchset #3 id:40001 of https://codereview.chromium.org/2444233004/ ) Reason for revert: Breaks tree: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/8789 Original issue's description: > [compiler] Properly validate stable map assumption for globals. > > For global object property cells, we did not check that the map on the > previous object is still the same for which we actually optimized. So > the optimized code was not in sync with the actual state of the property > cell. When loading from such a global object property cell, Crankshaft > optimizes away any map checks (based on the stable map assumption), > leading to arbitrary memory access in the worst case. > > TurboFan has the same bug for stores, but is safe on loads because we > do appropriate map checks there. However mixing TurboFan and Crankshaft > still exposes the bug. > > R=yangguo@chromium.org > BUG=chromium:659475 TBR=yangguo@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:659475 Committed: https://crrev.com/d0a047d440ea6283f9e63056cf5ec1fa3203e309 Cr-Commit-Position: refs/heads/master@{#40582}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+9 lines, -86 lines) Patch
M src/compiler/js-global-object-specialization.cc View 1 chunk +2 lines, -7 lines 0 comments Download
M src/crankshaft/hydrogen.cc View 1 chunk +4 lines, -12 lines 0 comments Download
M src/crankshaft/hydrogen-instructions.h View 1 chunk +0 lines, -1 line 0 comments Download
M src/runtime/runtime-utils.h View 1 chunk +3 lines, -5 lines 0 comments Download
D test/mjsunit/regress/regress-crbug-659475-1.js View 1 chunk +0 lines, -30 lines 0 comments Download
D test/mjsunit/regress/regress-crbug-659475-2.js View 1 chunk +0 lines, -31 lines 0 comments Download

Messages

Total messages: 7 (3 generated)
Benedikt Meurer
Created Revert of [compiler] Properly validate stable map assumption for globals.
4 years, 1 month ago (2016-10-26 11:11:09 UTC) #2
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2454513003/1
4 years, 1 month ago (2016-10-26 11:11:14 UTC) #3
commit-bot: I haz the power
Committed patchset #1 (id:1)
4 years, 1 month ago (2016-10-26 11:11:28 UTC) #5
commit-bot: I haz the power
4 years, 1 month ago (2016-11-17 22:13:34 UTC) #7
Message was sent while issue was closed. 
Patchset 1 (id:??) landed as
https://crrev.com/d0a047d440ea6283f9e63056cf5ec1fa3203e309
Cr-Commit-Position: refs/heads/master@{#40582}

Powered by Google App Engine
This is Rietveld 408576698