bbf3c697ae
The least two bits of the owner field of a Page are used to determine whether the Page is part of a large object. If these bits are not equal to 0x11, the page is part of a large object and needs special handling e.g. in MemoryChunk::FromAnyPointerAddress to determine which chunk it belongs to. This CL fixes an issue in which the store buffer overflows after a large object space allocation but before the object has been fully initialized. Store buffer overflow handling attempts to look up the chunk of a page, but fails to do so correctly since the page's owner field has not yet been initialized. This CL ensures that the owner field of all pages belonging to a large object allocation are initialized to a value that is interpreted correctly. BUG=chromium:672041 Committed: https://crrev.com/9b6808bfb5366beebe3af30a06f9851edb2039d4 Review-Url: https://codereview.chromium.org/2565713002 Cr-Original-Commit-Position: refs/heads/master@{#41641} Cr-Commit-Position: refs/heads/master@{#41687}
24 lines
789 B
JavaScript
24 lines
789 B
JavaScript
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Trigger an infinite loop through RegExp.prototype[@@match], which results
|
|
// in unbounded growth of the results array.
|
|
|
|
// Limit the number of iterations to avoid OOM while still triggering large
|
|
// object space allocation.
|
|
const min_ptr_size = 4;
|
|
const max_regular_heap_object_size = 507136;
|
|
const num_iterations = max_regular_heap_object_size / min_ptr_size;
|
|
|
|
const RegExpPrototypeExec = RegExp.prototype.exec;
|
|
|
|
let i = 0;
|
|
|
|
RegExp.prototype.__defineGetter__("global", () => true);
|
|
RegExp.prototype.exec = function(str) {
|
|
return (i++ < num_iterations) ? RegExpPrototypeExec.call(this, str) : null;
|
|
};
|
|
|
|
"a".match();
|