• bmeurer's avatar
    [compiler] Properly validate stable map assumption for globals. · 2bd7464e
    bmeurer authored
    For global object property cells, we did not check that the map on the
    previous object is still the same for which we actually optimized. So
    the optimized code was not in sync with the actual state of the property
    cell. When loading from such a global object property cell, Crankshaft
    optimizes away any map checks (based on the stable map assumption),
    leading to arbitrary memory access in the worst case.
    
    TurboFan has the same bug for stores, but is safe on loads because we
    do appropriate map checks there. However mixing TurboFan and Crankshaft
    still exposes the bug.
    
    R=yangguo@chromium.org
    BUG=chromium:659475
    
    Review-Url: https://codereview.chromium.org/2444233004
    Cr-Commit-Position: refs/heads/master@{#40592}
    2bd7464e
js-global-object-specialization.cc 12 KB