[codegen] Fix signed integer overflow in Assembler::GrowBuffer [v8/v8 : main]

[Victor Gomes (Gerrit)]

Attention needed from Leszek Swirski

Victor Gomes voted and added 1 comment

Votes added by Victor Gomes

Auto-Submit	+1
Commit-Queue	+1

1 comment

Patchset-level comments

File-level comment, Patchset 1 (Latest):

Victor Gomes . resolved

PTAL!

Currently x64 and ia32 we double the buffer size when we grow, while arm/arm64 it is capped to 1MB. I replicated that, but maybe we should only use the 1MB strategy? It might make more sense?

Regarding repro, it is too slow even in release mode...

Open in Gerrit

Related details

Attention is currently required from:

• Leszek Swirski

Submit Requirements:

• Code-Owners
• Code-Review
• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: Iff3ee491f911b9183c9680db84417de9e89ed72d

Gerrit-Change-Number: 7796004

Gerrit-PatchSet: 1

Gerrit-Owner: Victor Gomes <victo...@chromium.org>

Gerrit-Reviewer: Leszek Swirski <les...@chromium.org>

Gerrit-Reviewer: Victor Gomes <victo...@chromium.org>

Gerrit-Attention: Leszek Swirski <les...@chromium.org>

Gerrit-Comment-Date: Mon, 27 Apr 2026 13:36:24 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: Yes

[Leszek Swirski (Gerrit)]

Attention needed from Victor Gomes

Leszek Swirski voted

Code-Review	+1
Commit-Queue	+2

Open in Gerrit

Related details

Attention is currently required from:

• Victor Gomes

Submit Requirements:

• Code-Owners
• Code-Review
• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: Iff3ee491f911b9183c9680db84417de9e89ed72d

Gerrit-Change-Number: 7796004

Gerrit-PatchSet: 1

Gerrit-Owner: Victor Gomes <victo...@chromium.org>

Gerrit-Reviewer: Leszek Swirski <les...@chromium.org>

Gerrit-Reviewer: Victor Gomes <victo...@chromium.org>

Gerrit-CC: v8-s...@luci-project-accounts.iam.gserviceaccount.com <v8-s...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Attention: Victor Gomes <victo...@chromium.org>

Gerrit-Comment-Date: Tue, 28 Apr 2026 12:12:37 +0000

Gerrit-HasComments: No

Gerrit-Has-Labels: Yes

[v8-scoped@luci-project-accounts.iam.gserviceaccount.com (Gerrit)]

v8-s...@luci-project-accounts.iam.gserviceaccount.com submitted the change

Change information

Commit message:

[codegen] Fix signed integer overflow in Assembler::GrowBuffer

Compiling extremely large functions could cause `Assembler::GrowBuffer`
to calculate a negative buffer size due to a signed integer overflow
when doubling the size. This bypassed the out-of-memory guard and
resulted in a massive heap-based buffer overflow.

This CL fixes the issue by:
1. Moving `kMaximalBufferSize` to `AssemblerBase` as a common constant.
2. Adding a non-static helper method `ComputeNewBufferSize` to
   `AssemblerBase` that takes a `BufferGrowthStrategy` enum flag.
3. Adding a `DCHECK` to ensure the new size fits within `int` boundaries.
4. Updating `GrowBuffer` in arm, arm64, ia32, and x64 to use this helper.
5. Adding a check against `kMaximalBufferSize` in
   `BaselineCompiler::AllocateBuffer` to prevent huge initial
   allocations.

TAG=agy
CONV=d58d11be-b7cb-4eab-a315-ddefcb616292

Fixed: 506629455

Change-Id: Iff3ee491f911b9183c9680db84417de9e89ed72d

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7796004

Commit-Queue: Leszek Swirski <les...@chromium.org>

Reviewed-by: Leszek Swirski <les...@chromium.org>

Auto-Submit: Victor Gomes <victo...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#106882}

Files:

• M src/baseline/baseline-compiler.cc
• M src/codegen/arm/assembler-arm.cc
• M src/codegen/arm/assembler-arm.h
• M src/codegen/arm64/assembler-arm64.cc
• M src/codegen/arm64/assembler-arm64.h
• M src/codegen/assembler.cc
• M src/codegen/assembler.h
• M src/codegen/ia32/assembler-ia32.cc
• M src/codegen/ia32/assembler-ia32.h
• M src/codegen/x64/assembler-x64.cc
• M src/codegen/x64/assembler-x64.h

Change size: M

Delta: 11 files changed, 34 insertions(+), 41 deletions(-)

Branch: refs/heads/main

Submit Requirements:

• Code-Review: +1 by Leszek Swirski

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: merged

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: Iff3ee491f911b9183c9680db84417de9e89ed72d

Gerrit-Change-Number: 7796004

Gerrit-PatchSet: 2

Gerrit-Owner: Victor Gomes <victo...@chromium.org>

Gerrit-Reviewer: Leszek Swirski <les...@chromium.org>

Gerrit-Reviewer: Victor Gomes <victo...@chromium.org>

Gerrit-Reviewer: v8-s...@luci-project-accounts.iam.gserviceaccount.com <v8-s...@luci-project-accounts.iam.gserviceaccount.com>

[Yahan Lu (LuYahan) (Gerrit)]

Attention needed from Ji Qiu

Yahan Lu (LuYahan) voted Auto-Submit+1

Auto-Submit

+1

Open in Gerrit

Related details

Attention is currently required from:

• Ji Qiu

Submit Requirements:

• Code-Owners
• Code-Review
• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: Iabb2fbd2f025f3180576d8571873d76c3f6599ea

Gerrit-Change-Number: 7800114

Gerrit-PatchSet: 2

Gerrit-Owner: Yahan Lu (LuYahan) <ya...@iscas.ac.cn>

Gerrit-Reviewer: Ji Qiu <qi...@iscas.ac.cn>

Gerrit-Reviewer: Yahan Lu (LuYahan) <ya...@iscas.ac.cn>

Gerrit-CC: v8-s...@luci-project-accounts.iam.gserviceaccount.com <v8-s...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Attention: Ji Qiu <qi...@iscas.ac.cn>

Gerrit-Comment-Date: Tue, 28 Apr 2026 14:48:21 +0000

Gerrit-HasComments: No

Gerrit-Has-Labels: Yes