[webkit-reviews] review granted: [Bug 182843] Objects that contain dangerous things should be allocated far away from objects that can do OOB : [Attachment 333982] the patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 15 20:05:49 PST 2018
Saam Barati <sbarati at apple.com> has granted Filip Pizlo <fpizlo at apple.com>'s
request for review:
Bug 182843: Objects that contain dangerous things should be allocated far away
from objects that can do OOB
https://bugs.webkit.org/show_bug.cgi?id=182843
Attachment 333982: the patch
https://bugs.webkit.org/attachment.cgi?id=333982&action=review
--- Comment #5 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 333982
--> https://bugs.webkit.org/attachment.cgi?id=333982
the patch
View in context: https://bugs.webkit.org/attachment.cgi?id=333982&action=review
r=me
> Source/JavaScriptCore/heap/SecurityKind.h:40
> + // out-of-bounds. Currently, it's not essential to keep this separate
from SeparateBits. We're using
SeparateBits => DangerousBits
> Source/JavaScriptCore/heap/SecurityKind.h:44
> + // It's illegal to use this for any subclass of JSObject, JSString, or
SymbolObject, or any other
While true for SymbolObject, I think you mean Symbol here. SymbolObject is a
wrapper over symbol (ditto below)
> Source/JavaScriptCore/runtime/VM.h:333
> + CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is
problematic because we have things in here like DirectArguments and
ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict
auxiliaries.
Link to bug#?
More information about the webkit-reviews
mailing list