AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Fix overflow issue in Zone::New

Browse Source 
When requesting a large allocation near the end of the address space,
the computation could overflow and erroneously *not* grow the Zone
as required.

BUG=chromium:606115
LOG=y

Review-Url: https://codereview.chromium.org/1930873002
Cr-Commit-Position: refs/heads/master@{#35903}
This commit is contained in:
jkummerow 2016-04-29 04:53:59 -07:00 committed by Commit bot
parent 25fbb9047e
commit 3a9bfecfe4
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/zone.cc
View File

@ -104,7 +104,10 @@ void* Zone::New(size_t size) {
Address result = position_;
const size_t size_with_redzone = size + kASanRedzoneBytes;
if (limit_ < position_ + size_with_redzone) {
const uintptr_t limit = reinterpret_cast<uintptr_t>(limit_);
const uintptr_t position = reinterpret_cast<uintptr_t>(position_);
// position_ > limit_ can be true after the alignment correction above.
if (limit < position || size_with_redzone > limit - position) {
result = NewExpand(size_with_redzone);
} else {
position_ += size_with_redzone;
@ -221,7 +224,10 @@ Address Zone::NewExpand(size_t size) {
// Make sure the requested size is already properly aligned and that
// there isn't enough room in the Zone to satisfy the request.
DCHECK_EQ(size, RoundDown(size, kAlignment));
DCHECK_LT(limit_, position_ + size);
DCHECK(limit_ < position_ ||
reinterpret_cast<uintptr_t>(limit_) -
reinterpret_cast<uintptr_t>(position_) <
size);
// Compute the new segment size. We use a 'high water mark'
// strategy, where we increase the segment size every time we expand