[deoptimizer] Fix children counting for object allocation.

For the JS object allocation case, we materialize children_count - 1 objects. However, we already materialized the map and property array, so this could materialize one object beyond the JS object. If there is no such object, we would go out-of-bounds. Bug: chromium:792330 Change-Id: I5ed5e4ddde9de9789bb2531a48a0d87c80bd156c Reviewed-on: https://chromium-review.googlesource.com/817315 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49986}

[deoptimizer] Fix children counting for object allocation.
For the JS object allocation case, we materialize children_count - 1 objects. However, we already materialized the map and property array, so this could materialize one object beyond the JS object. If there is no such object, we would go out-of-bounds. Bug: chromium:792330 Change-Id: I5ed5e4ddde9de9789bb2531a48a0d87c80bd156c Reviewed-on: https://chromium-review.googlesource.com/817315 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49986}
a6b8251b · Jaroslav Sevcik · Commit Bot · d64ea283 · a6b8251b
Commit a6b8251b authored Dec 11, 2017 by Jaroslav Sevcik Committed by Commit Bot Dec 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 8 deletions

deoptimizer.cc src/deoptimizer.cc +15 -8

No files found.
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -3454,7 +3454,9 @@ void TranslatedState::EnsureCapturedObjectAllocatedAt(
      CHECK_EQ(instance_size, slot->GetChildrenCount() * kPointerSize);
      slot->set_storage(AllocateStorageFor(slot));
-      break;
+      // Make sure all the remaining children (after the map) are allocated.
+      return EnsureChildrenAllocated(slot->GetChildrenCount() - 1, frame,
+                                     &value_index, worklist);
    }
    case PROPERTY_ARRAY_TYPE: {
@@ -3466,32 +3468,37 @@ void TranslatedState::EnsureCapturedObjectAllocatedAt(
      CHECK_EQ(instance_size, slot->GetChildrenCount() * kPointerSize);
      slot->set_storage(AllocateStorageFor(slot));
-      break;
+      // Make sure all the remaining children (after the map) are allocated.
+      return EnsureChildrenAllocated(slot->GetChildrenCount() - 1, frame,
+                                     &value_index, worklist);
    }
    case CONTEXT_EXTENSION_TYPE: {
      CHECK_EQ(map->instance_size(), slot->GetChildrenCount() * kPointerSize);
      slot->set_storage(AllocateStorageFor(slot));
-      break;
+      // Make sure all the remaining children (after the map) are allocated.
+      return EnsureChildrenAllocated(slot->GetChildrenCount() - 1, frame,
+                                     &value_index, worklist);
    }
    default:
      CHECK(map->IsJSObjectMap());
      EnsureJSObjectAllocated(slot, map);
      TranslatedValue* properties_slot = &(frame->values_[value_index]);
+      value_index++;
      if (properties_slot->kind() == TranslatedValue::kCapturedObject) {
        // If we are materializing the property array, make sure we put
        // the mutable heap numbers at the right places.
        EnsurePropertiesAllocatedAndMarked(properties_slot, map);
-        value_index++;
        EnsureChildrenAllocated(properties_slot->GetChildrenCount(), frame,
                                &value_index, worklist);
      }
-      break;
+      // Make sure all the remaining children (after the map and properties) are
+      // allocated.
+      return EnsureChildrenAllocated(slot->GetChildrenCount() - 2, frame,
+                                     &value_index, worklist);
  }
+  UNREACHABLE();
-  EnsureChildrenAllocated(slot->GetChildrenCount() - 1, frame, &value_index,
-                          worklist);
 }
 void TranslatedState::EnsureChildrenAllocated(int count, TranslatedFrame* frame,