Commit 6516b1cc authored by Georg Neis's avatar Georg Neis Committed by Commit Bot

[turbofan] Harden ReduceJSCreateArray against typing bugs

Bug: chromium:1051017
Change-Id: I597363417d905bc65522d64ebfa2cbf9dde4b98f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054086Reviewed-by: 's avatarTobias Tebbi <tebbi@chromium.org>
Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66255}
parent 73f88b5f
...@@ -672,6 +672,9 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) { ...@@ -672,6 +672,9 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) {
length_type.Max() <= kElementLoopUnrollLimit && length_type.Max() <= kElementLoopUnrollLimit &&
length_type.Min() == length_type.Max()) { length_type.Min() == length_type.Max()) {
int capacity = static_cast<int>(length_type.Max()); int capacity = static_cast<int>(length_type.Max());
// Replace length with a constant in order to protect against a potential
// typer bug leading to length > capacity.
length = jsgraph()->Constant(capacity);
return ReduceNewArray(node, length, capacity, *initial_map, elements_kind, return ReduceNewArray(node, length, capacity, *initial_map, elements_kind,
allocation, slack_tracking_prediction); allocation, slack_tracking_prediction);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment