test · 3353a7d0b017146d543434be4036a81aaf7d25ae · Linshizhi / V8

[deoptimizer] Fix bug in OptimizedFrame::Summarize · 3353a7d0

Georg Neis authored Mar 10, 2021

OptimizedFrame::Summarize is used by debugger features etc
to inspect the frame of an optimized function (and the virtual frames
of functions that got inlined). It could end up materializing a JSArray
with the same backing store as one that would later get left-trimmed,
resulting in a dangling elements pointer. This CL fixes that by creating
a fresh copy of the elements store instead.

Bug: chromium:1182647
Change-Id: Iaf329464520a927b0ba33166cad2524d3752c450
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2748593Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73330}

3353a7d0

Name	Last commit	Last update
..
benchmarks		Loading commit data...
cctest		Loading commit data...
common		Loading commit data...
debugger		Loading commit data...
debugging		Loading commit data...
fuzzer		Loading commit data...
fuzzilli		Loading commit data...
inspector		Loading commit data...
intl		Loading commit data...
js-perf-test		Loading commit data...
memory		Loading commit data...
message		Loading commit data...
mjsunit		Loading commit data...
mkgrokdump		Loading commit data...
mozilla		Loading commit data...
test262		Loading commit data...
torque		Loading commit data...
unittests		Loading commit data...
wasm-api-tests		Loading commit data...
wasm-js		Loading commit data...
wasm-spec-tests		Loading commit data...
webkit		Loading commit data...
BUILD.gn		Loading commit data...
OWNERS		Loading commit data...