[Backport] Version 5.2.361.32 (cherry-pick)

Merged d800a65967b115c6e1aa6c3ba08861a304383088 Merged 7a88ff3cc096ecd681e9d10ad0a75c7d3daf027e Merged a7159577b7d092ef6283c51f8bb2c456b0e23a38 [heap] Filter out stale left-trimmed handles [heap] Filter out stale left-trimmed handles for scavenges [heap] Iterate handles with special left-trim visitor BUG=chromium:620553,chromium:620553,chromium:621869 LOG=N R=hablich@chromium.org, hpayer@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2111133002 (CVE-2016-5129) Change-Id: I2467362ee4d79f34fe3c57b38463cc65da64073a Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2016-07-26 14:14:20 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2016-08-10 13:47:48 +0000
commit: e63b94dd0a1510de212006d07cd13669a10b09ee (patch)
tree: 1e59b4e0362db398d59297ebe1d4fc781d98ab5a
parent: e0789295a59955578e3c5bea22c2f4c747a3e15f (diff)
download: qtwebengine-chromium-e63b94dd0a1510de212006d07cd13669a10b09ee.tar.gz
4 files changed, 48 insertions, 4 deletions
diff --git a/chromium/v8/src/heap/heap.cc b/chromium/v8/src/heap/heap.cc
index 3d953730013..4726b7642d7 100644
--- a/chromium/v8/src/heap/heap.cc
+++ b/chromium/v8/src/heap/heap.cc
@@ -5314,6 +5314,49 @@ void Heap::IterateSmiRoots(ObjectVisitor* v) {
   v->Synchronize(VisitorSynchronization::kSmiRootList);
 }
 
+// We cannot avoid stale handles to left-trimmed objects, but can only make
+// sure all handles still needed are updated. Filter out a stale pointer
+// and clear the slot to allow post processing of handles (needed because
+// the sweeper might actually free the underlying page).
+class FixStaleLeftTrimmedHandlesVisitor : public ObjectVisitor {
+ public:
+ explicit FixStaleLeftTrimmedHandlesVisitor(Heap* heap) : heap_(heap) {
+    USE(heap_);
+  }
+
+  void VisitPointer(Object** p) override { FixHandle(p); }
+
+  void VisitPointers(Object** start, Object** end) override {
+    for (Object** p = start; p < end; p++) FixHandle(p);
+  }
+
+ private:
+  inline void FixHandle(Object** p) {
+    HeapObject* current = reinterpret_cast<HeapObject*>(*p);
+    if (!current->IsHeapObject()) return;
+    const MapWord map_word = current->map_word();
+    if (!map_word.IsForwardingAddress() && current->IsFiller()) {
+#ifdef DEBUG
+      // We need to find a FixedArrayBase map after walking the fillers.
+      while (current->IsFiller()) {
+        Address next = reinterpret_cast<Address>(current);
+        if (current->map() == heap_->one_pointer_filler_map()) {
+          next += kPointerSize;
+        } else if (current->map() == heap_->two_pointer_filler_map()) {
+          next += 2 * kPointerSize;
+        } else {
+          next += current->Size();
+        }
+        current = reinterpret_cast<HeapObject*>(next);
+      }
+      DCHECK(current->IsFixedArrayBase());
+#endif  // DEBUG
+      *p = nullptr;
+    }
+  }
+
+  Heap* heap_;
+};
 
 void Heap::IterateStrongRoots(ObjectVisitor* v, VisitMode mode) {
   v->VisitPointers(&roots_[0], &roots_[kStrongRootListLength]);
@@ -5337,6 +5380,8 @@ void Heap::IterateStrongRoots(ObjectVisitor* v, VisitMode mode) {
   v->Synchronize(VisitorSynchronization::kCompilationCache);
 
   // Iterate over local handles in handle scopes.
+  FixStaleLeftTrimmedHandlesVisitor left_trim_visitor(this);
+  isolate_->handle_scope_implementer()->Iterate(&left_trim_visitor);
   isolate_->handle_scope_implementer()->Iterate(v);
   isolate_->IterateDeferredHandles(v);
   v->Synchronize(VisitorSynchronization::kHandleScope);
diff --git a/chromium/v8/src/heap/mark-compact.cc b/chromium/v8/src/heap/mark-compact.cc
index 9ca06cf2e64..d87734a727c 100644
--- a/chromium/v8/src/heap/mark-compact.cc
+++ b/chromium/v8/src/heap/mark-compact.cc
@@ -1648,8 +1648,8 @@ class RootMarkingVisitor : public ObjectVisitor {
   void MarkObjectByPointer(Object** p) {
     if (!(*p)->IsHeapObject()) return;
 
-    // Replace flat cons strings in place.
     HeapObject* object = ShortCircuitConsString(p);
+
     MarkBit mark_bit = Marking::MarkBitFrom(object);
     if (Marking::IsBlackOrGrey(mark_bit)) return;
 
diff --git a/chromium/v8/src/objects-inl.h b/chromium/v8/src/objects-inl.h
index fbc2c4ee76b..11d647486b3 100644
--- a/chromium/v8/src/objects-inl.h
+++ b/chromium/v8/src/objects-inl.h
@@ -1350,8 +1350,7 @@ Map* MapWord::ToMap() {
   return reinterpret_cast<Map*>(value_);
 }
 
-
-bool MapWord::IsForwardingAddress() {
+bool MapWord::IsForwardingAddress() const {
   return HAS_SMI_TAG(reinterpret_cast<Object*>(value_));
 }
 
diff --git a/chromium/v8/src/objects.h b/chromium/v8/src/objects.h
index 00ffee9a858..872df5c7a4e 100644
--- a/chromium/v8/src/objects.h
+++ b/chromium/v8/src/objects.h
@@ -1382,7 +1382,7 @@ class MapWord BASE_EMBEDDED {
   // True if this map word is a forwarding address for a scavenge
   // collection.  Only valid during a scavenge collection (specifically,
   // when all map words are heap object pointers, i.e. not during a full GC).
-  inline bool IsForwardingAddress();
+  inline bool IsForwardingAddress() const;
 
   // Create a map word from a forwarding address.
   static inline MapWord FromForwardingAddress(HeapObject* object);
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2016-07-26 14:14:20 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2016-08-10 13:47:48 +0000
commit	e63b94dd0a1510de212006d07cd13669a10b09ee (patch)
tree	1e59b4e0362db398d59297ebe1d4fc781d98ab5a
parent	e0789295a59955578e3c5bea22c2f4c747a3e15f (diff)
download	qtwebengine-chromium-e63b94dd0a1510de212006d07cd13669a10b09ee.tar.gz