commit | 2bd7464ec1efc9eb24a38f7400119a5f2257f6e6 | [log] [tgz] |
---|---|---|
author | bmeurer <bmeurer@chromium.org> | Wed Oct 26 13:43:45 2016 |
committer | Commit bot <commit-bot@chromium.org> | Wed Oct 26 13:44:03 2016 |
tree | 9e78bb50d9a4341100632160197b82f1598bbb18 | |
parent | a7a350012c05f644f3f373fb48d7ac72f7f60542 [diff] |
[compiler] Properly validate stable map assumption for globals. For global object property cells, we did not check that the map on the previous object is still the same for which we actually optimized. So the optimized code was not in sync with the actual state of the property cell. When loading from such a global object property cell, Crankshaft optimizes away any map checks (based on the stable map assumption), leading to arbitrary memory access in the worst case. TurboFan has the same bug for stores, but is safe on loads because we do appropriate map checks there. However mixing TurboFan and Crankshaft still exposes the bug. R=yangguo@chromium.org BUG=chromium:659475 Review-Url: https://codereview.chromium.org/2444233004 Cr-Commit-Position: refs/heads/master@{#40592}
V8 is Google's open source JavaScript engine.
V8 implements ECMAScript as specified in ECMA-262.
V8 is written in C++ and is used in Google Chrome, the open source browser from Google.
V8 can run standalone, or can be embedded into any C++ application.
V8 Project page: https://github.com/v8/v8/wiki
Checkout depot tools, and run
fetch v8
This will checkout V8 into the directory v8
and fetch all of its dependencies. To stay up to date, run
git pull origin gclient sync
For fetching all branches, add the following into your remote configuration in .git/config
:
fetch = +refs/branch-heads/*:refs/remotes/branch-heads/* fetch = +refs/tags/*:refs/tags/*
Please follow the instructions mentioned on the V8 wiki.