[v8-dev] Clear JS function result caches in all global contexts. (issue4200009)

Thu, 28 Oct 2010 12:46:58 -0700 

Reviewers: Mads Ager,

Description:
Clear JS function result caches in all global contexts.
Original patch by Mark Lam <[email protected]> from Hewlett-Packard Development 
Company, LP. (http://codereview.chromium.org/4187007)
Fix memory corruption in JSFunctionResultCache::Clear caused by out of bounds 
writes which was revealed by the patch.

Please review this at http://codereview.chromium.org/4200009/show

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/heap.cc
  M src/objects-inl.h


Index: src/heap.cc
diff --git a/src/heap.cc b/src/heap.cc
index fc9086655201b970f92a4a01911be013eb23d9a7..b037efd80450e1df3aae746d286eb9068b4e4b39 100644 
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -581,25 +581,22 @@ void Heap::EnsureFromSpaceIsCommitted() {
 }


-class ClearThreadJSFunctionResultCachesVisitor: public ThreadVisitor  {
-  virtual void VisitThread(ThreadLocalTop* top) {
-    Context* context = top->context_;
-    if (context == NULL) return;
+void Heap::ClearJSFunctionResultCaches() {
+  if (Bootstrapper::IsActive()) return;

+  Object* context = global_contexts_list_;
+  while (!context->IsUndefined()) {
+    // Get the caches for this context:
     FixedArray* caches =
-      context->global()->global_context()->jsfunction_result_caches();
+      Context::cast(context)->jsfunction_result_caches();
+    // Clear the caches:
     int length = caches->length();
     for (int i = 0; i < length; i++) {
       JSFunctionResultCache::cast(caches->get(i))->Clear();
     }
+    // Get the next context:
+    context = Context::cast(context)->get(Context::NEXT_CONTEXT_LINK);
   }
-};
-
-
-void Heap::ClearJSFunctionResultCaches() {
-  if (Bootstrapper::IsActive()) return;
-  ClearThreadJSFunctionResultCachesVisitor visitor;
-  ThreadManager::IterateArchivedThreads(&visitor);
 }


Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index 4d210172b8b1bc310b738fa326e338c61da3a46e..1852b549bf1802c351297f3363ddac401386e66c 100644 
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1952,7 +1952,9 @@ void JSFunctionResultCache::MakeZeroSize() {
 void JSFunctionResultCache::Clear() {
   int cache_size = Smi::cast(get(kCacheSizeIndex))->value();
Object** entries_start = RawField(this, OffsetOfElementAt(kEntriesIndex)); 
-  MemsetPointer(entries_start, Heap::the_hole_value(), cache_size);
+  MemsetPointer(entries_start,
+                Heap::the_hole_value(),
+                cache_size - kEntriesIndex);
   MakeZeroSize();
 }



--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to