1. 20 Apr, 2020 1 commit
    • Ulan Degenbaev's avatar
      [heap] Fix an out-of-bounds access in the marking bitmap · 8e8a06fa
      Ulan Degenbaev authored
      Deserializer can trigger OOB read in the marking bitmap inside the
      RegisterDeserializedObjectsForBlackAllocation function. This happens
      for example if an internalized string is deserialized as the last object
      on a page and is the turned into a thin-string leaving a one-word filler
      at the end of the page. In such a case IsBlack(filler) will try to fetch
      a cell outside the marking bitmap.
      
      The fix is to increase the size of the marking bitmap by one cell, so
      that it is always safe to query markbits of any object on a page.
      
      Bug: chromium:978156
      Change-Id: If3c74e4f97d2caeb3c3f37a4147f38dea5f0e5a8
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2152838
      Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
      Reviewed-by: 's avatarDominik Inführ <dinfuehr@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#67223}
      8e8a06fa
  2. 25 Feb, 2019 1 commit
    • Pierre Langlois's avatar
      [heap] Relax accessing markbits in ranges. · b152bb75
      Pierre Langlois authored
      When calling the `bitmap(chunk)` method of the various *MarkingState accessors
      we would receive a raw `Bitmap` pointer which does not tell you if accesses to
      markbits should be made atomically or not. As a result, we would default to
      doing atomic operation when in fact it may not be necessary.
      
      Here we're introducing a templated `ConcurrentBitmap` class that wraps
      operations done on the markbits and allows them to be made non-atomic.
      
      Additionaly, some of the `Bitmap` methods were only used to verify the heap and
      in the tests so they do not need atomic implementations. Using them in a
      concurrent context should now fail to link to make sure they're not mis-used in
      the future.
      
      Change-Id: Ifb55f8522c8bf0c87d65da9227864ee428d21bbd
      Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel
      Reviewed-on: https://chromium-review.googlesource.com/c/1482916Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
      Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
      Cr-Commit-Position: refs/heads/master@{#59836}
      b152bb75
  3. 05 Oct, 2018 1 commit
  4. 20 Mar, 2018 1 commit
  5. 21 Aug, 2017 1 commit
  6. 13 Jun, 2017 1 commit
  7. 12 Jun, 2017 1 commit