[turbofan] Fix length in LowerJSCreateLiteralObject.

This fixes the length computation in for object literals in generic lowering. In rare cases (e.g. boilerplate at end of page) this could lead to out of bounds reads. R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/1737893003 Cr-Commit-Position: refs/heads/master@{#34328}

[turbofan] Fix length in LowerJSCreateLiteralObject.
This fixes the length computation in for object literals in generic lowering. In rare cases (e.g. boilerplate at end of page) this could lead to out of bounds reads. R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/1737893003 Cr-Commit-Position: refs/heads/master@{#34328}
db8f0504 · mstarzinger · Commit bot · 49c1e711 · db8f0504
Commit db8f0504 authored Feb 26, 2016 by mstarzinger Committed by Commit bot Feb 26, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

js-generic-lowering.cc src/compiler/js-generic-lowering.cc +2 -1

No files found.
--- a/src/compiler/js-generic-lowering.cc
+++ b/src/compiler/js-generic-lowering.cc
@@ -663,7 +663,8 @@ void JSGenericLowering::LowerJSCreateLiteralArray(Node* node) {
 void JSGenericLowering::LowerJSCreateLiteralObject(Node* node) {
  CreateLiteralParameters const& p = CreateLiteralParametersOf(node->op());
  CallDescriptor::Flags flags = AdjustFrameStatesForCall(node);
-  int const length = Handle<FixedArray>::cast(p.constant())->length();
+  // Constants are pairs, see ObjectLiteral::properties_count().
+  int const length = Handle<FixedArray>::cast(p.constant())->length() / 2;
  node->InsertInput(zone(), 1, jsgraph()->SmiConstant(p.index()));
  node->InsertInput(zone(), 2, jsgraph()->HeapConstant(p.constant()));
  node->InsertInput(zone(), 3, jsgraph()->SmiConstant(p.flags()));