Skip to content

Commit 8245592

Browse files
LeszekSwirskiV8 LUCI CQ
LeszekSwirski
authored and
V8 LUCI CQ
committed
[ignition] Add Smi check for jump table entry untagging
Bug: 460166688 Change-Id: If470557ef2899605d9c17bd1cd7c4d64e69a63d4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7147028 Reviewed-by: Toon Verwaest <[email protected]> Commit-Queue: Leszek Swirski <[email protected]> Cr-Commit-Position: refs/heads/main@{#103691}
1 parent 7b23926 commit 8245592

1 file changed

Lines changed: 6 additions & 2 deletions

File tree

src/interpreter/interpreter-generator.cc

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2517,7 +2517,9 @@ IGNITION_HANDLER(SwitchOnSmiNoFeedback, InterpreterAssembler) {
25172517
GotoIf(IntPtrGreaterThanOrEqual(case_value, table_length), &fall_through);
25182518

25192519
TNode<WordT> entry = IntPtrAdd(table_start, case_value);
2520-
TNode<IntPtrT> relative_jump = LoadAndUntagConstantPoolEntry(entry);
2520+
TNode<Object> constant_entry = LoadConstantPoolEntry(entry);
2521+
CSA_SBXCHECK(this, TaggedIsSmi(constant_entry));
2522+
TNode<IntPtrT> relative_jump = SmiUntag(CAST(constant_entry));
25212523
Jump(relative_jump);
25222524

25232525
BIND(&fall_through);
@@ -3437,7 +3439,9 @@ IGNITION_HANDLER(SwitchOnGeneratorState, InterpreterAssembler) {
34373439
USE(table_length); // SBXCHECK is a DCHECK when the sandbox is disabled.
34383440

34393441
TNode<WordT> entry = IntPtrAdd(table_start, case_value);
3440-
TNode<IntPtrT> relative_jump = LoadAndUntagConstantPoolEntry(entry);
3442+
TNode<Object> constant_entry = LoadConstantPoolEntry(entry);
3443+
CSA_SBXCHECK(this, TaggedIsSmi(constant_entry));
3444+
TNode<IntPtrT> relative_jump = SmiUntag(CAST(constant_entry));
34413445
Jump(relative_jump);
34423446

34433447
BIND(&fallthrough);

0 commit comments

Comments
 (0)