Commit 10df816e authored by Tobias Tebbi's avatar Tobias Tebbi Committed by Commit Bot

[torque] fix std::set iterator invalidation bug

Bug: v8:7793
Change-Id: Ifb3f27c7da02c2040fdf5042dafa13b336007f94
Reviewed-on: https://chromium-review.googlesource.com/c/1413875
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58890}
parent 30617b77
...@@ -355,11 +355,8 @@ class UnionType final : public Type { ...@@ -355,11 +355,8 @@ class UnionType final : public Type {
} else { } else {
if (t->IsSubtypeOf(this)) return; if (t->IsSubtypeOf(this)) return;
set_parent(CommonSupertype(parent(), t)); set_parent(CommonSupertype(parent(), t));
for (const Type* member : types_) { EraseIf(&types_,
if (member->IsSubtypeOf(t)) { [&](const Type* member) { return member->IsSubtypeOf(t); });
types_.erase(member);
}
}
types_.insert(t); types_.insert(t);
} }
} }
......
...@@ -273,6 +273,20 @@ constexpr int kTaggedSize = sizeof(void*); ...@@ -273,6 +273,20 @@ constexpr int kTaggedSize = sizeof(void*);
static const char* const kConstructMethodName = "constructor"; static const char* const kConstructMethodName = "constructor";
static const char* const kSuperMethodName = "super"; static const char* const kSuperMethodName = "super";
// Erase elements of a container that has a constant-time erase function, like
// std::set or std::list. Calling this on std::vector would have quadratic
// complexity.
template <class Container, class F>
void EraseIf(Container* container, F f) {
for (auto it = container->begin(); it != container->end();) {
if (f(*it)) {
it = container->erase(it);
} else {
++it;
}
}
}
} // namespace torque } // namespace torque
} // namespace internal } // namespace internal
} // namespace v8 } // namespace v8
......
...@@ -467,6 +467,19 @@ namespace test { ...@@ -467,6 +467,19 @@ namespace test {
check(TypeswitchExample(FromConstexpr<Number>(0.5)) == 27); check(TypeswitchExample(FromConstexpr<Number>(0.5)) == 27);
} }
macro TestTypeswitchAsanLsanFailure(implicit context: Context)(obj: Object) {
typeswitch (obj) {
case (o: Smi): {
}
case (o: JSTypedArray): {
}
case (o: JSReceiver): {
}
case (o: HeapObject): {
}
}
}
macro ExampleGenericOverload<A: type>(o: Object): A { macro ExampleGenericOverload<A: type>(o: Object): A {
return o; return o;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment