[v8-dev] [v8] r17740 committed - Avoid integer overflow in CopyMap....

[codesite-noreply]

Revision: 17740
Author:   verwa...@chromium.org
Date:     Thu Nov 14 11:56:03 2013 UTC
Log:      Avoid integer overflow in CopyMap.
R=jkumme...@chromium.org

Review URL: https://chromiumcodereview.appspot.com/63173023
http://code.google.com/p/v8/source/detail?r=17740

Modified:
 /branches/bleeding_edge/src/factory.cc

=======================================
--- /branches/bleeding_edge/src/factory.cc      Wed Nov 13 10:34:06 2013 UTC
+++ /branches/bleeding_edge/src/factory.cc      Thu Nov 14 11:56:03 2013 UTC
@@ -626,11 +626,12 @@
   int instance_size_delta = extra_inobject_properties * kPointerSize;
   int max_instance_size_delta =
       JSObject::kMaxInstanceSize - copy->instance_size();
-  if (instance_size_delta > max_instance_size_delta) {
+  int max_extra_properties = max_instance_size_delta >> kPointerSizeLog2;
+  if (extra_inobject_properties > max_extra_properties) {
     // If the instance size overflows, we allocate as many properties
     // as we can as inobject properties.
     instance_size_delta = max_instance_size_delta;
-    extra_inobject_properties = max_instance_size_delta >>  
kPointerSizeLog2;
+    extra_inobject_properties = max_extra_properties;
   }
   // Adjust the map with the extra inobject properties.
   int inobject_properties =

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.