commit | 532114cd411453e94a72ed9e5082f3ef6b0907a3 | [log] [tgz] |
---|---|---|
author | Andy Wingo <wingo@igalia.com> | Thu Jul 04 10:50:41 2024 |
committer | V8 LUCI CQ <v8-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri Jul 05 09:15:55 2024 |
tree | 38f3b4e18fd28a2f160c4842ec9814fdeb4816fb | |
parent | f4a2f3f030a7ffe0a59cfdb3cdbec4ca95ef6bc9 [diff] |
[isolate-groups] Free code range before reservation is freed In pointer-compression configurations, the code range uses the reservation's page allocator; accessing it after the reservation is freed is a UAF. This can occur during testing (the PoolTest). Also, reset the once variable to allow the coderange to be re-created. Thanks to Milad Fa for the report. Bug: 42204573 Change-Id: Ia7e89d70e2ade71f8efc8bfe109b575fc00db1b2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5677029 Commit-Queue: Igor Sheludko <ishell@chromium.org> Auto-Submit: Andy Wingo <wingo@igalia.com> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#94850}
V8 is Google's open source JavaScript engine.
V8 implements ECMAScript as specified in ECMA-262.
V8 is written in C++ and is used in Google Chrome, the open source browser from Google.
V8 can run standalone, or can be embedded into any C++ application.
V8 Project page: https://v8.dev/docs
Checkout depot tools, and run
fetch v8
This will checkout V8 into the directory v8
and fetch all of its dependencies. To stay up to date, run
git pull origin gclient sync
For fetching all branches, add the following into your remote configuration in .git/config
:
fetch = +refs/branch-heads/*:refs/remotes/branch-heads/* fetch = +refs/tags/*:refs/tags/*
Please follow the instructions mentioned at v8.dev/docs/contribute.