Commits · d2701715f803155b3276223bd293bebcdaf7a5a3 · Linshizhi / V8

21 Nov, 2017 1 commit

[regexp] Avoid integer overflow in callable @@replace · 71b9018c

jgruber authored 7 years ago

The integer value denoting the number of captures (and thus the size
of the list of captures created in @@replace [0]) can be controlled by
the user.  This CL ensures we don't overflow and respect
Code::kMaxArguments, but note that it is still possible to trigger
OOMs through large lists.

Bug: chromium:786573
Change-Id: I19c88908c594487818d083b2ba423764ef91eae0
Reviewed-on: https://chromium-review.googlesource.com/779001Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49530}

71b9018c

31 Mar, 2017 1 commit

[regexp] Revert to ZoneList usage in @@replace · 686c3783

jgruber authored 7 years ago

Fixes a crash found by clusterfuzz caused by a call to
std::vector::reserve with a huge capacity, and reverts to ZoneList
handling as a tentative fix for performance regressions on the slow
@@replace path.

BUG=chromium:707187,chromium:706748,v8:5437

Review-Url: https://codereview.chromium.org/2787343002
Cr-Commit-Position: refs/heads/master@{#44311}

686c3783

15 Feb, 2017 1 commit

[builtins] Convert the hole to undefined when pushing spread arguments. · 817e0358

Peter Marshall authored 8 years ago

The mips64 implementation always ended up in the slowpath due to some
loads that were the wrong width, so that is also fixed here.

BUG=v8:5974

Change-Id: Ie448a1fab5b7fca87597c5a1bf75443864e30c28
Reviewed-on: https://chromium-review.googlesource.com/443247
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43222}

817e0358

07 Feb, 2017 1 commit

[builtins] Fix crash on stack overflow in CheckSpreadAndPushToStack. · f4739ea8

petermarshall authored 8 years ago

For x64, ia32 and x87 we would pop the return address before the stack
overflow check. This meant the stack couldn't be unwound properly if
it was going to overflow. This CL moves the pop of the return address
to after the stack overflow check.

Also adds a regression test to check that a RangeError is thrown.

BUG=689016

Review-Url: https://codereview.chromium.org/2681643004
Cr-Commit-Position: refs/heads/master@{#42984}

f4739ea8

20 Jan, 2017 1 commit

Also suppress exception messages thrown by native scripts · 8b8c8df0

jochen authored 8 years ago

BUG=chromium:681984
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2640983006
Cr-Commit-Position: refs/heads/master@{#42536}

8b8c8df0

04 Jan, 2017 1 commit

[turbofan] Teach escape analysis about StringCharAt · 5662f99b

tebbi authored 8 years ago

R=bmeurer@chromium.org
BUG=chromium:677757

Review-Url: https://codereview.chromium.org/2606383005
Cr-Commit-Position: refs/heads/master@{#42066}

5662f99b