test · 0dcbc230dd4ba28f00fa6fb0bd9498f8ab6f3436 · Linshizhi / V8

[turbofan] Remove unsound SeqString types. · 36426ab7

Benedikt Meurer authored Mar 16, 2018

A value of type OtherSeqString can change its type to OtherNonSeqString
via inplace internalization (and redirection via a ThinString). This can
lead to out of bounds memory accesses and generally correctness bugs, as
seen with crbug.com/822284.

This change might affect performance in some cases, and we'll need to
evaluate whether it's worth spending cycles on adding another mechanism
that leverages the sequential string information in a safe way on a case
by case basis.

Bug: chromium:822284
Change-Id: I0de77ec089a774236555f38c365f7548f454edfe
Reviewed-on: https://chromium-review.googlesource.com/966021Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51975}

36426ab7

Name	Last commit	Last update
..
benchmarks		Loading commit data...
cctest		Loading commit data...
common		Loading commit data...
debugger		Loading commit data...
fuzzer		Loading commit data...
inspector		Loading commit data...
intl		Loading commit data...
js-perf-test		Loading commit data...
memory		Loading commit data...
message		Loading commit data...
mjsunit		Loading commit data...
mkgrokdump		Loading commit data...
mozilla		Loading commit data...
preparser		Loading commit data...
test262		Loading commit data...
unittests		Loading commit data...
wasm-spec-tests		Loading commit data...
webkit		Loading commit data...
BUILD.gn		Loading commit data...
bot_default.isolate		Loading commit data...
d8_default.isolate		Loading commit data...
default.isolate		Loading commit data...
optimize_for_size.isolate		Loading commit data...
perf.isolate		Loading commit data...