From 34b96c1322b60d5e8ac7ee91df1a6984cbc9c4e6 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Thu, 2 Jun 2016 18:11:28 +0200 Subject: [PATCH] deps: backport 3a9bfec from v8 upstream Original commit message: Fix overflow issue in Zone::New When requesting a large allocation near the end of the address space, the computation could overflow and erroneously *not* grow the Zone as required. BUG=chromium:606115 LOG=y Review-Url: https://codereview.chromium.org/1930873002 Cr-Commit-Position: refs/heads/master@{#35903} PR-URL: https://github.com/nodejs/node-private/pull/40 Reviewed-By: Fedor Indutny Reviewed-By: Myles Borins Reviewed-By: Rod Vagg --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/zone.cc | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 7744c089f68ce0..bd7afa5a83ff44 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 4 #define V8_MINOR_VERSION 6 #define V8_BUILD_NUMBER 85 -#define V8_PATCH_LEVEL 31 +#define V8_PATCH_LEVEL 32 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/zone.cc b/deps/v8/src/zone.cc index 9dcebba2dc1fc8..1f722f2f608952 100644 --- a/deps/v8/src/zone.cc +++ b/deps/v8/src/zone.cc @@ -105,7 +105,10 @@ void* Zone::New(size_t size) { Address result = position_; const size_t size_with_redzone = size + kASanRedzoneBytes; - if (limit_ < position_ + size_with_redzone) { + const uintptr_t limit = reinterpret_cast(limit_); + const uintptr_t position = reinterpret_cast(position_); + // position_ > limit_ can be true after the alignment correction above. + if (limit < position || size_with_redzone > limit - position) { result = NewExpand(size_with_redzone); } else { position_ += size_with_redzone; @@ -222,7 +225,10 @@ Address Zone::NewExpand(size_t size) { // Make sure the requested size is already properly aligned and that // there isn't enough room in the Zone to satisfy the request. DCHECK_EQ(size, RoundDown(size, kAlignment)); - DCHECK_LT(limit_, position_ + size); + DCHECK(limit_ < position_ || + reinterpret_cast(limit_) - + reinterpret_cast(position_) < + size); // Compute the new segment size. We use a 'high water mark' // strategy, where we increase the segment size every time we expand