Issue 2406 in v8: Implement redzones in v8
1 view
Skip to first unread message
codesite...@google.com
Nov 12, 2012, 11:26:11 AM11/12/12
to v8-...@googlegroups.com
Status: Assigned
Owner: mvstan...@chromium.org
CC: k...@chromium.org, infe...@chromium.org, jsc...@chromium.org,
cev...@chromium.org, da...@chromium.org
Labels: Type-Bug Priority-Medium
New issue 2406 by infe...@chromium.org: Implement redzones in v8
http://code.google.com/p/v8/issues/detail?id=2406
From discussion of http://code.google.com/p/v8/issues/detail?id=2120, a
solution of "redzones and probably a good tracking of the top pointer of gc
space" is proposed. This is a extremely desirable feature, can you please
help to implement it. Right now, we have atleast three fuzzers that can
help to find v8 bugs, farcasia's v8 fuzzer, fuzzer working on crash urls,
inferno_twister fuzzer.
Comment 10 by project member mvst...@chromium.org, Today (6 hours ago)
I ran the repro for 160010 and from my experience and the comments it seems
to crash every time in
v8::internal::BasicJsonStringifier::SerializeString_(). As this method
doesn't allocate in the crashing loop (writing into a string in the heap),
verify_heap doesn't have the chance to intervene before it writes off the
end of NewSpace (new gc heap objects).
So catching this bug would need some kind of red zone support within
objects or at least knowledge about our heap segments to recognize when we
write outside of them. It's beyond the current capabilities of verify-heap.
Owner: mvstan...@chromium.org
CC: k...@chromium.org, infe...@chromium.org, jsc...@chromium.org,
cev...@chromium.org, da...@chromium.org
Labels: Type-Bug Priority-Medium
New issue 2406 by infe...@chromium.org: Implement redzones in v8
http://code.google.com/p/v8/issues/detail?id=2406
From discussion of http://code.google.com/p/v8/issues/detail?id=2120, a
solution of "redzones and probably a good tracking of the top pointer of gc
space" is proposed. This is a extremely desirable feature, can you please
help to implement it. Right now, we have atleast three fuzzers that can
help to find v8 bugs, farcasia's v8 fuzzer, fuzzer working on crash urls,
inferno_twister fuzzer.
Comment 10 by project member mvst...@chromium.org, Today (6 hours ago)
I ran the repro for 160010 and from my experience and the comments it seems
to crash every time in
v8::internal::BasicJsonStringifier::SerializeString_(). As this method
doesn't allocate in the crashing loop (writing into a string in the heap),
verify_heap doesn't have the chance to intervene before it writes off the
end of NewSpace (new gc heap objects).
So catching this bug would need some kind of red zone support within
objects or at least knowledge about our heap segments to recognize when we
write outside of them. It's beyond the current capabilities of verify-heap.
Reply all
Reply to author
Forward
0 new messages