diff options
| author | Fedor Indutny <fedor@indutny.com> | 2015-09-16 10:57:30 -0700 |
|---|---|---|
| committer | Fedor Indutny <fedor@indutny.com> | 2015-09-16 17:32:47 -0700 |
| commit | 2b8a06b32347ac16eaac820227a4672dbe05c134 (patch) | |
| tree | 996414bad8047049a4b108ca4e38482fe34dc30c /deps/v8/src/objects.h | |
| parent | 5f6579d3661b5a55ccefdcbc4e24d4b1ebea6588 (diff) | |
| download | node-new-2b8a06b32347ac16eaac820227a4672dbe05c134.tar.gz | |
deps: backport 0d01728 from v8's upstream
Original commit message:
[objects] do not visit ArrayBuffer's backing store
ArrayBuffer's backing store is a pointer to external heap, and
can't be treated as a heap object. Doing so will result in
crashes, when the backing store is unaligned.
See: https://github.com/nodejs/node/issues/2791
BUG=chromium:530531
R=mlippautz@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1327403002
Cr-Commit-Position: refs/heads/master@{#30771}
Fix: https://github.com/nodejs/node/issues/2791
PR-URL: https://github.com/nodejs/node/pull/2912
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Diffstat (limited to 'deps/v8/src/objects.h')
| -rw-r--r-- | deps/v8/src/objects.h | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h index 7e4fcbafeb..563618ab71 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -10014,9 +10014,14 @@ class JSArrayBuffer: public JSObject { DECLARE_PRINTER(JSArrayBuffer) DECLARE_VERIFIER(JSArrayBuffer) - static const int kBackingStoreOffset = JSObject::kHeaderSize; - static const int kByteLengthOffset = kBackingStoreOffset + kPointerSize; - static const int kBitFieldSlot = kByteLengthOffset + kPointerSize; + static const int kByteLengthOffset = JSObject::kHeaderSize; + + // NOTE: GC will visit objects fields: + // 1. From JSObject::BodyDescriptor::kStartOffset to kByteLengthOffset + + // kPointerSize + // 2. From start of the internal fields and up to the end of them + static const int kBackingStoreOffset = kByteLengthOffset + kPointerSize; + static const int kBitFieldSlot = kBackingStoreOffset + kPointerSize; #if V8_TARGET_LITTLE_ENDIAN || !V8_HOST_ARCH_64_BIT static const int kBitFieldOffset = kBitFieldSlot; #else @@ -10027,6 +10032,12 @@ class JSArrayBuffer: public JSObject { static const int kSizeWithInternalFields = kSize + v8::ArrayBuffer::kInternalFieldCount * kPointerSize; + template <typename StaticVisitor> + static inline void JSArrayBufferIterateBody(Heap* heap, HeapObject* obj); + + static inline void JSArrayBufferIterateBody(HeapObject* obj, + ObjectVisitor* v); + class IsExternal : public BitField<bool, 1, 1> {}; class IsNeuterable : public BitField<bool, 2, 1> {}; class WasNeutered : public BitField<bool, 3, 1> {}; |