Clear JS function result caches in all global contexts.

Original patch by Mark Lam <mark.lam@palm.com> from Hewlett-Packard Development Company, LP. (http://codereview.chromium.org/4187007) Fix memory corruption in JSFunctionResultCache::Clear caused by out of bounds writes which was revealed by the patch. Review URL: http://codereview.chromium.org/4200009 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5738 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Clear JS function result caches in all global contexts.
Original patch by Mark Lam <mark.lam@palm.com> from Hewlett-Packard Development Company, LP. (http://codereview.chromium.org/4187007) Fix memory corruption in JSFunctionResultCache::Clear caused by out of bounds writes which was revealed by the patch. Review URL: http://codereview.chromium.org/4200009 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5738 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1dc2c44e · vegorov@chromium.org · 302abe30 · 1dc2c44e · 1dc2c44e
Commit 1dc2c44e authored Oct 29, 2010 by vegorov@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 13 deletions

heap.cc src/heap.cc +9 -12

objects-inl.h src/objects-inl.h +3 -1

No files found.
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -581,25 +581,22 @@ void Heap::EnsureFromSpaceIsCommitted() {
 }
-class ClearThreadJSFunctionResultCachesVisitor: public ThreadVisitor  {
+void Heap::ClearJSFunctionResultCaches() {
-  virtual void VisitThread(ThreadLocalTop* top) {
+  if (Bootstrapper::IsActive()) return;
-    Context* context = top->context_;
-    if (context == NULL) return;
+  Object* context = global_contexts_list_;
+  while (!context->IsUndefined()) {
+    // Get the caches for this context:
    FixedArray* caches =
-      context->global()->global_context()->jsfunction_result_caches();
+      Context::cast(context)->jsfunction_result_caches();
+    // Clear the caches:
    int length = caches->length();
    for (int i = 0; i < length; i++) {
      JSFunctionResultCache::cast(caches->get(i))->Clear();
    }
+    // Get the next context:
+    context = Context::cast(context)->get(Context::NEXT_CONTEXT_LINK);
  }
-};
-void Heap::ClearJSFunctionResultCaches() {
-  if (Bootstrapper::IsActive()) return;
-  ClearThreadJSFunctionResultCachesVisitor visitor;
-  ThreadManager::IterateArchivedThreads(&visitor);
 }

--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1952,7 +1952,9 @@ void JSFunctionResultCache::MakeZeroSize() {
 void JSFunctionResultCache::Clear() {
  int cache_size = Smi::cast(get(kCacheSizeIndex))->value();
  Object** entries_start = RawField(this, OffsetOfElementAt(kEntriesIndex));
-  MemsetPointer(entries_start, Heap::the_hole_value(), cache_size);
+  MemsetPointer(entries_start,
+                Heap::the_hole_value(),
+                cache_size - kEntriesIndex);
  MakeZeroSize();
 }