Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(303)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 695213004: Handle store buffer slot overwrite during object promotion. (Closed)

Created:
6 years, 1 month ago by Jarin
Modified:
6 years, 1 month ago
CC:
v8-dev
Project:
v8
Visibility:
Public.

Description

Handle store buffer slot overwrite during object promotion. The bad scenario this fix handles: We have a slot in a free list, then promote the object pointed-to by the slot during scavenge. When allocating the space for the promoted object, we overwrite the slot with the free list entry map if the object is allocated just before the slot. After the allocation, ScavengingVisitor::PromoteObject overwrites the slot with the address of the allocated object, thus corrupting the free list. Unfortunately, we do not have a way to construct a reliable repro case because we would need to somehow craft a free list and store buffer slot to be in the right configuration. R=hpayer@chromium.org BUG= Committed: https://code.google.com/p/v8/source/detail?r=25143

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+11 lines, -1 line) Patch
M src/heap/heap.cc View 1 chunk +11 lines, -1 line 0 comments Download

Messages

Total messages: 3 (0 generated)
Jarin
Could you take a look, please?
6 years, 1 month ago (2014-11-05 10:20:17 UTC) #1
Hannes Payer (out of office)
lgtm
6 years, 1 month ago (2014-11-05 10:33:47 UTC) #2
Jarin
6 years, 1 month ago (2014-11-05 11:27:42 UTC) #3
Message was sent while issue was closed. 
Committed patchset #1 (id:1) manually as 25143 (presubmit successful).

Powered by Google App Engine
This is Rietveld 408576698