Reviewers: Jakob,
Message:
PTAL
Description:
Fixed crashes exposed though fuzzing.
The %_OneByteSeqStringSetChar builtin expects its arguments to be checked
before
being called for efficiency reasons, but the fuzzer provided no such
checks. Now
the builtin is robust to bad input if FLAG_debug_code is set.
[email protected]
TEST=test/mjsunit/regress/regress-320948.js
BUG=chromium:320948
LOG=Y
Please review this at https://codereview.chromium.org/72813004/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+439, -199 lines):
M src/arm/full-codegen-arm.cc
M src/arm/lithium-arm.h
M src/arm/lithium-arm.cc
M src/arm/lithium-codegen-arm.cc
M src/arm/macro-assembler-arm.h
M src/arm/macro-assembler-arm.cc
M src/full-codegen.h
M src/hydrogen-instructions.h
M src/hydrogen.cc
M src/ia32/full-codegen-ia32.cc
M src/ia32/lithium-codegen-ia32.cc
M src/ia32/lithium-ia32.h
M src/ia32/lithium-ia32.cc
M src/ia32/macro-assembler-ia32.h
M src/ia32/macro-assembler-ia32.cc
M src/objects.h
M src/runtime.h
M src/runtime.cc
M src/x64/full-codegen-x64.cc
M src/x64/lithium-codegen-x64.cc
M src/x64/lithium-x64.h
M src/x64/macro-assembler-x64.h
M src/x64/macro-assembler-x64.cc
M test/mjsunit/fuzz-natives-part3.js
A + test/mjsunit/regress/regress-320948.js
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
