[heap] Ensure object ends within chunk range

When iterating objects on a page add CHECKs that we actually load a map and ensure the object ends within the current chunk. Bug: chromium:1055252 Change-Id: I8f2d5f08229cb1a2fce64af6e22988de87d1b572 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2072744Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#66456}

[heap] Ensure object ends within chunk range
When iterating objects on a page add CHECKs that we actually load a map and ensure the object ends within the current chunk. Bug: chromium:1055252 Change-Id: I8f2d5f08229cb1a2fce64af6e22988de87d1b572 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2072744Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#66456}
e7187a62 · Dominik Inführ · Commit Bot · 95fa931e · e7187a62
Commit e7187a62 authored Feb 26, 2020 by Dominik Inführ Committed by Commit Bot Feb 26, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

mark-compact-inl.h src/heap/mark-compact-inl.h +8 -2

No files found.
--- a/src/heap/mark-compact-inl.h
+++ b/src/heap/mark-compact-inl.h
@@ -205,8 +205,11 @@ void LiveObjectRange<mode>::iterator::AdvanceToNextValidObject() {
        // make sure that we skip all set bits in the black area until the
        // object ends.
        HeapObject black_object = HeapObject::FromAddress(addr);
-        map = Map::cast(ObjectSlot(addr).Acquire_Load());
+        Object map_object = ObjectSlot(addr).Acquire_Load();
+        CHECK(map_object.IsMap());
+        map = Map::cast(map_object);
        size = black_object.SizeFromMap(map);
+        CHECK_LE(addr + size, chunk_->area_end());
        Address end = addr + size - kTaggedSize;
        // One word filler objects do not borrow the second mark bit. We have
        // to jump over the advancing and clearing part.
@@ -232,9 +235,12 @@ void LiveObjectRange<mode>::iterator::AdvanceToNextValidObject() {
          object = black_object;
        }
      } else if ((mode == kGreyObjects || mode == kAllLiveObjects)) {
-        map = Map::cast(ObjectSlot(addr).Acquire_Load());
+        Object map_object = ObjectSlot(addr).Acquire_Load();
+        CHECK(map_object.IsMap());
+        map = Map::cast(map_object);
        object = HeapObject::FromAddress(addr);
        size = object.SizeFromMap(map);
+        CHECK_LE(addr + size, chunk_->area_end());
      }

      // We found a live object.