From 1dc2c44e3cf39815954bc196b2cb219a9224f316 Mon Sep 17 00:00:00 2001
From: "vegorov@chromium.org"
 <vegorov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 29 Oct 2010 08:13:19 +0000
Subject: [PATCH] Clear JS function result caches in all global contexts.

Original patch by Mark Lam <mark.lam@palm.com> from Hewlett-Packard Development Company, LP. (http://codereview.chromium.org/4187007)

Fix memory corruption in JSFunctionResultCache::Clear caused by out of bounds writes which was revealed by the patch.

Review URL: http://codereview.chromium.org/4200009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5738 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/heap.cc       | 21 +++++++++------------
 src/objects-inl.h |  4 +++-
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/src/heap.cc b/src/heap.cc
index fc90866..b037efd 100644
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -581,25 +581,22 @@ void Heap::EnsureFromSpaceIsCommitted() {
 }
 
 
-class ClearThreadJSFunctionResultCachesVisitor: public ThreadVisitor  {
-  virtual void VisitThread(ThreadLocalTop* top) {
-    Context* context = top->context_;
-    if (context == NULL) return;
+void Heap::ClearJSFunctionResultCaches() {
+  if (Bootstrapper::IsActive()) return;
 
+  Object* context = global_contexts_list_;
+  while (!context->IsUndefined()) {
+    // Get the caches for this context:
     FixedArray* caches =
-      context->global()->global_context()->jsfunction_result_caches();
+      Context::cast(context)->jsfunction_result_caches();
+    // Clear the caches:
     int length = caches->length();
     for (int i = 0; i < length; i++) {
       JSFunctionResultCache::cast(caches->get(i))->Clear();
     }
+    // Get the next context:
+    context = Context::cast(context)->get(Context::NEXT_CONTEXT_LINK);
   }
-};
-
-
-void Heap::ClearJSFunctionResultCaches() {
-  if (Bootstrapper::IsActive()) return;
-  ClearThreadJSFunctionResultCachesVisitor visitor;
-  ThreadManager::IterateArchivedThreads(&visitor);
 }
 
 
diff --git a/src/objects-inl.h b/src/objects-inl.h
index 4d21017..1852b54 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1952,7 +1952,9 @@ void JSFunctionResultCache::MakeZeroSize() {
 void JSFunctionResultCache::Clear() {
   int cache_size = Smi::cast(get(kCacheSizeIndex))->value();
   Object** entries_start = RawField(this, OffsetOfElementAt(kEntriesIndex));
-  MemsetPointer(entries_start, Heap::the_hole_value(), cache_size);
+  MemsetPointer(entries_start,
+                Heap::the_hole_value(),
+                cache_size - kEntriesIndex);
   MakeZeroSize();
 }
 
-- 
2.7.4