deps: backport 0d01728 from v8's upstream

Original commit message: [objects] do not visit ArrayBuffer's backing store ArrayBuffer's backing store is a pointer to external heap, and can't be treated as a heap object. Doing so will result in crashes, when the backing store is unaligned. See: https://github.com/nodejs/node/issues/2791 BUG=chromium:530531 R=mlippautz@chromium.org LOG=N Review URL: https://codereview.chromium.org/1327403002 Cr-Commit-Position: refs/heads/master@{#30771} Ref: https://github.com/nodejs/node/issues/2791 Ref: https://github.com/nodejs/node/pull/2912 PR-URL: https://github.com/nodejs/node/pull/3351 Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
author: Fedor Indutny <fedor@indutny.com> 2015-09-16 10:57:30 -0700
committer: Ali Ijaz Sheikh <ofrobots@google.com> 2015-10-14 11:20:35 -0700
commit: 972a0c851586ddde30f948d1ea8510f74e141f7c (patch)
tree: 931cc475ed74d5e1ff5b1c0270a8c7d1006312fe /deps/v8/src/objects-inl.h
parent: 1fdec65203c2889d92c9393a6c09b406181b75cf (diff)
download: node-new-972a0c851586ddde30f948d1ea8510f74e141f7c.tar.gz
1 files changed, 28 insertions, 0 deletions
diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h
index b3713b644c..b7aba56f5a 100644
--- a/deps/v8/src/objects-inl.h
+++ b/deps/v8/src/objects-inl.h
@@ -1483,6 +1483,8 @@ HeapObjectContents HeapObject::ContentType() {
   } else if (type >= FIRST_FIXED_TYPED_ARRAY_TYPE &&
              type <= LAST_FIXED_TYPED_ARRAY_TYPE) {
     return HeapObjectContents::kMixedValues;
+  } else if (type == JS_ARRAY_BUFFER_TYPE) {
+    return HeapObjectContents::kMixedValues;
   } else if (type <= LAST_DATA_TYPE) {
     // TODO(jochen): Why do we claim that Code and Map contain only raw values?
     return HeapObjectContents::kRawValues;
@@ -6516,6 +6518,32 @@ void JSArrayBuffer::set_is_shared(bool value) {
 }
 
 
+// static
+template <typename StaticVisitor>
+void JSArrayBuffer::JSArrayBufferIterateBody(Heap* heap, HeapObject* obj) {
+  StaticVisitor::VisitPointers(
+      heap, obj,
+      HeapObject::RawField(obj, JSArrayBuffer::BodyDescriptor::kStartOffset),
+      HeapObject::RawField(obj,
+                           JSArrayBuffer::kByteLengthOffset + kPointerSize));
+  StaticVisitor::VisitPointers(
+      heap, obj, HeapObject::RawField(obj, JSArrayBuffer::kSize),
+      HeapObject::RawField(obj, JSArrayBuffer::kSizeWithInternalFields));
+}
+
+
+void JSArrayBuffer::JSArrayBufferIterateBody(HeapObject* obj,
+                                             ObjectVisitor* v) {
+  v->VisitPointers(
+      HeapObject::RawField(obj, JSArrayBuffer::BodyDescriptor::kStartOffset),
+      HeapObject::RawField(obj,
+                           JSArrayBuffer::kByteLengthOffset + kPointerSize));
+  v->VisitPointers(
+      HeapObject::RawField(obj, JSArrayBuffer::kSize),
+      HeapObject::RawField(obj, JSArrayBuffer::kSizeWithInternalFields));
+}
+
+
 Object* JSArrayBufferView::byte_offset() const {
   if (WasNeutered()) return Smi::FromInt(0);
   return Object::cast(READ_FIELD(this, kByteOffsetOffset));
author	Fedor Indutny <fedor@indutny.com>	2015-09-16 10:57:30 -0700
committer	Ali Ijaz Sheikh <ofrobots@google.com>	2015-10-14 11:20:35 -0700
commit	972a0c851586ddde30f948d1ea8510f74e141f7c (patch)
tree	931cc475ed74d5e1ff5b1c0270a8c7d1006312fe /deps/v8/src/objects-inl.h
parent	1fdec65203c2889d92c9393a6c09b406181b75cf (diff)
download	node-new-972a0c851586ddde30f948d1ea8510f74e141f7c.tar.gz