AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
35b3e01394
v8/test
History
bmeurer 2bd7464ec1 [compiler] Properly validate stable map assumption for globals. 
For global object property cells, we did not check that the map on the
previous object is still the same for which we actually optimized. So
the optimized code was not in sync with the actual state of the property
cell. When loading from such a global object property cell, Crankshaft
optimizes away any map checks (based on the stable map assumption),
leading to arbitrary memory access in the worst case.

TurboFan has the same bug for stores, but is safe on loads because we
do appropriate map checks there. However mixing TurboFan and Crankshaft
still exposes the bug.

R=yangguo@chromium.org
BUG=chromium:659475

Review-Url: https://codereview.chromium.org/2444233004
Cr-Commit-Position: refs/heads/master@{#40592}
2016-10-26 13:44:03 +00:00
..
benchmarks [gn] Move build to gypfiles 2016-04-29 10:11:11 +00:00
cctest Revert of [heap] Uncommit marking deque in concurrent task. (patchset #7 id:120001 of https://codereview.chromium.org/2442443003/ ) 2016-10-26 12:39:40 +00:00
common [wasm] Fix memory leak in wasm-module-runner.cc 2016-10-26 12:08:50 +00:00
debugger [debugger] basic test infrastructure for new debugger test api. 2016-10-21 06:38:05 +00:00
fuzzer [wasm] Cleanup the wasm-call fuzzer 2016-10-24 12:44:03 +00:00
inspector [inspector] enable inspector by default 2016-10-25 07:13:48 +00:00
intl [wasm] asm.js: Add asm_wasm variant to test asm.js->wasm pipeline. 2016-09-19 23:57:13 +00:00
js-perf-test [test] Bump js-test strings timeout even more 2016-10-13 12:29:36 +00:00
memory [snapshot] support multiple contexts in the same snapshot. 2016-06-15 15:39:06 +00:00
message [es8] Remove syntactic tail calls support. 2016-09-28 08:25:45 +00:00
mjsunit [compiler] Properly validate stable map assumption for globals. 2016-10-26 13:44:03 +00:00
mozilla Skip some mozilla tests on turbofan_opt as they consistently timeout 2016-10-07 22:41:42 +00:00
preparser [gn] Move build to gypfiles 2016-04-29 10:11:11 +00:00
promises-aplus Make test262 test runner check for which exception is thrown 2016-03-14 21:20:37 +00:00
simdjs [test] Deprecate test data download for most test suites 2016-08-08 12:39:48 +00:00
test262 [modules] Update test262.status after test262 upstream fix. 2016-10-24 15:49:29 +00:00
unittests [wasm] fix simd opcode read and error case for bad simd opcodes 2016-10-25 22:03:50 +00:00
webkit [wasm] asm.js: Add asm_wasm variant to test asm.js->wasm pipeline. 2016-09-19 23:57:13 +00:00
bot_default.gyp [inspector] Remove inspector_protocol_parser_test target. 2016-08-11 16:45:14 +00:00
bot_default.isolate [debugger] basic test infrastructure for new debugger test api. 2016-10-21 06:38:05 +00:00
BUILD.gn [inspector] Add swarming support to inspector tests 2016-10-12 07:32:06 +00:00
default.gyp [inspector] Remove inspector_protocol_parser_test target. 2016-08-11 16:45:14 +00:00
default.isolate [debugger] basic test infrastructure for new debugger test api. 2016-10-21 06:38:05 +00:00
optimize_for_size.gyp [gn] Move build to gypfiles 2016-04-29 10:11:11 +00:00
optimize_for_size.isolate [debugger] basic test infrastructure for new debugger test api. 2016-10-21 06:38:05 +00:00
perf.gyp [gn] Move build to gypfiles 2016-04-29 10:11:11 +00:00
perf.isolate [Swarming] Isolate perf tests. 2016-02-15 11:17:18 +00:00