src/compiler · 0dcbc230dd4ba28f00fa6fb0bd9498f8ab6f3436 · Linshizhi / V8

[turbofan] Remove unsound SeqString types. · 36426ab7

Benedikt Meurer authored Mar 16, 2018

A value of type OtherSeqString can change its type to OtherNonSeqString
via inplace internalization (and redirection via a ThinString). This can
lead to out of bounds memory accesses and generally correctness bugs, as
seen with crbug.com/822284.

This change might affect performance in some cases, and we'll need to
evaluate whether it's worth spending cycles on adding another mechanism
that leverages the sequential string information in a safe way on a case
by case basis.

Bug: chromium:822284
Change-Id: I0de77ec089a774236555f38c365f7548f454edfe
Reviewed-on: https://chromium-review.googlesource.com/966021Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51975}

36426ab7

Name	Last commit	Last update
..
arm		Loading commit data...
arm64		Loading commit data...
ia32		Loading commit data...
mips		Loading commit data...
mips64		Loading commit data...
ppc		Loading commit data...
s390		Loading commit data...
x64		Loading commit data...
OWNERS		Loading commit data...
STYLE		Loading commit data...
access-builder.cc		Loading commit data...
access-builder.h		Loading commit data...
access-info.cc		Loading commit data...
access-info.h		Loading commit data...
all-nodes.cc		Loading commit data...
all-nodes.h		Loading commit data...
allocation-builder.h		Loading commit data...
basic-block-instrumentor.cc		Loading commit data...
basic-block-instrumentor.h		Loading commit data...
branch-elimination.cc		Loading commit data...
branch-elimination.h		Loading commit data...
bytecode-analysis.cc		Loading commit data...
bytecode-analysis.h		Loading commit data...
bytecode-graph-builder.cc		Loading commit data...
bytecode-graph-builder.h		Loading commit data...
bytecode-liveness-map.cc		Loading commit data...
bytecode-liveness-map.h		Loading commit data...
c-linkage.cc		Loading commit data...
checkpoint-elimination.cc		Loading commit data...
checkpoint-elimination.h		Loading commit data...
code-assembler.cc		Loading commit data...
code-assembler.h		Loading commit data...
code-generator-impl.h		Loading commit data...
code-generator.cc		Loading commit data...
code-generator.h		Loading commit data...
common-node-cache.cc		Loading commit data...
common-node-cache.h		Loading commit data...
common-operator-reducer.cc		Loading commit data...
common-operator-reducer.h		Loading commit data...
common-operator.cc		Loading commit data...
common-operator.h		Loading commit data...
compiler-source-position-table.cc		Loading commit data...
compiler-source-position-table.h		Loading commit data...
control-equivalence.cc		Loading commit data...
control-equivalence.h		Loading commit data...
control-flow-optimizer.cc		Loading commit data...
control-flow-optimizer.h		Loading commit data...
dead-code-elimination.cc		Loading commit data...
dead-code-elimination.h		Loading commit data...
diamond.h		Loading commit data...
effect-control-linearizer.cc		Loading commit data...
effect-control-linearizer.h		Loading commit data...
escape-analysis-reducer.cc		Loading commit data...
escape-analysis-reducer.h		Loading commit data...
escape-analysis.cc		Loading commit data...
escape-analysis.h		Loading commit data...
frame-elider.cc		Loading commit data...
frame-elider.h		Loading commit data...
frame-states.cc		Loading commit data...
frame-states.h		Loading commit data...
frame.cc		Loading commit data...
frame.h		Loading commit data...
functional-list.h		Loading commit data...
gap-resolver.cc		Loading commit data...
gap-resolver.h		Loading commit data...
graph-assembler.cc		Loading commit data...
graph-assembler.h		Loading commit data...
graph-reducer.cc		Loading commit data...
graph-reducer.h		Loading commit data...
graph-trimmer.cc		Loading commit data...
graph-trimmer.h		Loading commit data...
graph-visualizer.cc		Loading commit data...
graph-visualizer.h		Loading commit data...
graph.cc		Loading commit data...
graph.h		Loading commit data...
instruction-codes.h		Loading commit data...
instruction-scheduler.cc		Loading commit data...
instruction-scheduler.h		Loading commit data...
instruction-selector-impl.h		Loading commit data...
instruction-selector.cc		Loading commit data...
instruction-selector.h		Loading commit data...
instruction.cc		Loading commit data...
instruction.h		Loading commit data...
int64-lowering.cc		Loading commit data...
int64-lowering.h		Loading commit data...
js-builtin-reducer.cc		Loading commit data...
js-builtin-reducer.h		Loading commit data...
js-call-reducer.cc		Loading commit data...
js-call-reducer.h		Loading commit data...
js-context-specialization.cc		Loading commit data...
js-context-specialization.h		Loading commit data...
js-create-lowering.cc		Loading commit data...
js-create-lowering.h		Loading commit data...
js-generic-lowering.cc		Loading commit data...
js-generic-lowering.h		Loading commit data...
js-graph.cc		Loading commit data...
js-graph.h		Loading commit data...
js-inlining-heuristic.cc		Loading commit data...
js-inlining-heuristic.h		Loading commit data...
js-inlining.cc		Loading commit data...
js-inlining.h		Loading commit data...
js-intrinsic-lowering.cc		Loading commit data...
js-intrinsic-lowering.h		Loading commit data...
js-native-context-specialization.cc		Loading commit data...
js-native-context-specialization.h		Loading commit data...
js-operator.cc		Loading commit data...
js-operator.h		Loading commit data...
js-type-hint-lowering.cc		Loading commit data...
js-type-hint-lowering.h		Loading commit data...
js-typed-lowering.cc		Loading commit data...
js-typed-lowering.h		Loading commit data...
jump-threading.cc		Loading commit data...
jump-threading.h		Loading commit data...
linkage.cc		Loading commit data...
linkage.h		Loading commit data...
live-range-separator.cc		Loading commit data...
live-range-separator.h		Loading commit data...
load-elimination.cc		Loading commit data...
load-elimination.h		Loading commit data...
loop-analysis.cc		Loading commit data...
loop-analysis.h		Loading commit data...
loop-peeling.cc		Loading commit data...
loop-peeling.h		Loading commit data...
loop-variable-optimizer.cc		Loading commit data...
loop-variable-optimizer.h		Loading commit data...
machine-graph-verifier.cc		Loading commit data...
machine-graph-verifier.h		Loading commit data...
machine-operator-reducer.cc		Loading commit data...
machine-operator-reducer.h		Loading commit data...
machine-operator.cc		Loading commit data...
machine-operator.h		Loading commit data...
memory-optimizer.cc		Loading commit data...
memory-optimizer.h		Loading commit data...
move-optimizer.cc		Loading commit data...
move-optimizer.h		Loading commit data...
node-aux-data.h		Loading commit data...
node-cache.cc		Loading commit data...
node-cache.h		Loading commit data...
node-marker.cc		Loading commit data...
node-marker.h		Loading commit data...
node-matchers.cc		Loading commit data...
node-matchers.h		Loading commit data...
node-properties.cc		Loading commit data...
node-properties.h		Loading commit data...
node.cc		Loading commit data...
node.h		Loading commit data...
opcodes.cc		Loading commit data...
opcodes.h		Loading commit data...
operation-typer.cc		Loading commit data...
operation-typer.h		Loading commit data...
operator-properties.cc		Loading commit data...
operator-properties.h		Loading commit data...
operator.cc		Loading commit data...
operator.h		Loading commit data...
osr.cc		Loading commit data...
osr.h		Loading commit data...
persistent-map.h		Loading commit data...
pipeline-statistics.cc		Loading commit data...
pipeline-statistics.h		Loading commit data...
pipeline.cc		Loading commit data...
pipeline.h		Loading commit data...
property-access-builder.cc		Loading commit data...
property-access-builder.h		Loading commit data...
raw-machine-assembler.cc		Loading commit data...
raw-machine-assembler.h		Loading commit data...
redundancy-elimination.cc		Loading commit data...
redundancy-elimination.h		Loading commit data...
register-allocator-verifier.cc		Loading commit data...
register-allocator-verifier.h		Loading commit data...
register-allocator.cc		Loading commit data...
register-allocator.h		Loading commit data...
representation-change.cc		Loading commit data...
representation-change.h		Loading commit data...
schedule.cc		Loading commit data...
schedule.h		Loading commit data...
scheduler.cc		Loading commit data...
scheduler.h		Loading commit data...
select-lowering.cc		Loading commit data...
select-lowering.h		Loading commit data...
simd-scalar-lowering.cc		Loading commit data...
simd-scalar-lowering.h		Loading commit data...
simplified-lowering.cc		Loading commit data...
simplified-lowering.h		Loading commit data...
simplified-operator-reducer.cc		Loading commit data...
simplified-operator-reducer.h		Loading commit data...
simplified-operator.cc		Loading commit data...
simplified-operator.h		Loading commit data...
state-values-utils.cc		Loading commit data...
state-values-utils.h		Loading commit data...
store-store-elimination.cc		Loading commit data...
store-store-elimination.h		Loading commit data...
type-cache.cc		Loading commit data...
type-cache.h		Loading commit data...
typed-optimization.cc		Loading commit data...
typed-optimization.h		Loading commit data...
typer.cc		Loading commit data...
typer.h		Loading commit data...
types.cc		Loading commit data...
types.h		Loading commit data...
unwinding-info-writer.h		Loading commit data...
value-numbering-reducer.cc		Loading commit data...
value-numbering-reducer.h		Loading commit data...
verifier.cc		Loading commit data...
verifier.h		Loading commit data...
wasm-compiler.cc		Loading commit data...
wasm-compiler.h		Loading commit data...
wasm-linkage.cc		Loading commit data...
zone-stats.cc		Loading commit data...
zone-stats.h		Loading commit data...