[v8-dev] [v8] r4461 committed - Bring r4460 to trunk....

Wed, 21 Apr 2010 05:00:49 -0700 

Revision: 4461
Author: [email protected]
Date: Wed Apr 21 05:00:05 2010
Log: Bring r4460 to trunk.

This fixes an overwrite past the end of cache.

Review URL: http://codereview.chromium.org/1689004
http://code.google.com/p/v8/source/detail?r=4461

Modified:
 /trunk/src/objects.h
 /trunk/src/runtime.cc
 /trunk/src/version.cc
 /trunk/test/mjsunit/string-search.js

=======================================
--- /trunk/src/objects.h        Wed Apr 21 01:22:37 2010
+++ /trunk/src/objects.h        Wed Apr 21 05:00:05 2010
@@ -2322,6 +2322,8 @@
   static const int kCacheSizeIndex = kFingerIndex + 1;
   static const int kDummyIndex = kCacheSizeIndex + 1;
   static const int kEntriesIndex = kDummyIndex + 1;
+
+  static const int kEntrySize = 2;  // key + value
 };


=======================================
--- /trunk/src/runtime.cc       Wed Apr 21 01:22:37 2010
+++ /trunk/src/runtime.cc       Wed Apr 21 05:00:05 2010
@@ -10101,8 +10101,10 @@
cache->set(JSFunctionResultCache::kCacheSizeIndex, Smi::FromInt(size + 2)); 
     return CacheMiss(cache, size, key);
   } else {
-    int target_index = (finger_index < cache->length()) ?
-        finger_index + 2 : JSFunctionResultCache::kEntriesIndex;
+    int target_index = finger_index + JSFunctionResultCache::kEntrySize;
+    if (target_index == cache->length()) {
+      target_index = JSFunctionResultCache::kEntriesIndex;
+    }
     return CacheMiss(cache, target_index, key);
   }
 }
=======================================
--- /trunk/src/version.cc       Wed Apr 21 01:22:37 2010
+++ /trunk/src/version.cc       Wed Apr 21 05:00:05 2010
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     2
 #define MINOR_VERSION     2
 #define BUILD_NUMBER      4
-#define PATCH_LEVEL       0
+#define PATCH_LEVEL       1
 #define CANDIDATE_VERSION false

 // Define SONAME to have the SCons build the put a specific SONAME into the
=======================================
--- /trunk/test/mjsunit/string-search.js        Thu Sep 11 02:11:10 2008
+++ /trunk/test/mjsunit/string-search.js        Wed Apr 21 05:00:05 2010
@@ -28,3 +28,13 @@
 var str="ABC abc";
 var r = str.search('a');
 assertEquals(r, 4);
+
+// Test for a lot of different string.
+
+var s = "";
+for (var i = 0; i < 100; i++) {
+  s += i;
+  var r = s.search(s);
+  assertEquals(0, r);
+}
+

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to