[maglev] Fix OOB check for elements

Bug: v8:7700 Change-Id: I0eaf1ffaaa2d759226b675b367a58bc0ea9a5da2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3895813Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83196}

[maglev] Fix OOB check for elements
Bug: v8:7700 Change-Id: I0eaf1ffaaa2d759226b675b367a58bc0ea9a5da2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3895813Reviewed-by: Jakob Linke <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Jakob Linke <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#83196}
4fcd7307 · Leszek Swirski · V8 LUCI CQ · f3a0e8bc · 4fcd7307
Commit 4fcd7307 authored Sep 14, 2022 by Leszek Swirski Committed by V8 LUCI CQ Sep 14, 2022
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 3 deletions

maglev-ir.cc src/maglev/maglev-ir.cc +2 -3

No files found.
--- a/src/maglev/maglev-ir.cc
+++ b/src/maglev/maglev-ir.cc
@@ -1412,9 +1412,8 @@ void CheckJSObjectElementsBounds::GenerateCode(MaglevAssembler* masm,
    __ CmpObjectType(object, FIRST_JS_OBJECT_TYPE, kScratchRegister);
    __ Assert(greater_equal, AbortReason::kUnexpectedValue);
  }
-  __ LoadAnyTaggedField(
-      kScratchRegister,
-      FieldOperand(object, JSReceiver::kPropertiesOrHashOffset));
+  __ LoadAnyTaggedField(kScratchRegister,
+                        FieldOperand(object, JSObject::kElementsOffset));
  if (FLAG_debug_code) {
    __ AssertNotSmi(kScratchRegister);
  }