Reviewers: Jakob,
Message:
PTAL
Description:
Avoid integer overflow in CopyMap.
Please review this at https://chromiumcodereview.appspot.com/63173023/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+3, -2 lines):
M src/factory.cc
Index: src/factory.cc
diff --git a/src/factory.cc b/src/factory.cc
index
6da9a2e0b24447fb58cdc46b6731e85e8743e7a0..a7cc080fefa59d52c30f01bb2ed657f41c091b8f
100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -626,11 +626,12 @@ Handle<Map> Factory::CopyMap(Handle<Map> src,
int instance_size_delta = extra_inobject_properties * kPointerSize;
int max_instance_size_delta =
JSObject::kMaxInstanceSize - copy->instance_size();
- if (instance_size_delta > max_instance_size_delta) {
+ int max_extra_properties = max_instance_size_delta >> kPointerSizeLog2;
+ if (extra_inobject_properties > max_extra_properties) {
// If the instance size overflows, we allocate as many properties
// as we can as inobject properties.
instance_size_delta = max_instance_size_delta;
- extra_inobject_properties = max_instance_size_delta >>
kPointerSizeLog2;
+ extra_inobject_properties = max_extra_properties;
}
// Adjust the map with the extra inobject properties.
int inobject_properties =
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
