[turbofan] Harden ReduceJSCreateArray against typing bugs

GeorgNeis · Commit Bot · commit 6516b1ccbe6f · 2020-02-13T12:27:45.000Z
Bug: chromium:1051017 Change-Id: I597363417d905bc65522d64ebfa2cbf9dde4b98f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054086 Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#66255}
diff --git a/src/compiler/js-create-lowering.cc b/src/compiler/js-create-lowering.cc
@@ -672,6 +672,9 @@ Reduction JSCreateLowering::ReduceJSCreateArray(Node* node) {
         length_type.Max() <= kElementLoopUnrollLimit &&
         length_type.Min() == length_type.Max()) {
       int capacity = static_cast<int>(length_type.Max());
+      // Replace length with a constant in order to protect against a potential
+      // typer bug leading to length > capacity.
+      length = jsgraph()->Constant(capacity);
       return ReduceNewArray(node, length, capacity, *initial_map, elements_kind,
                             allocation, slack_tracking_prediction);
     }
