Skip to content

Commit f16a3a7

Browse files
MayaLekovaCommit Bot
MayaLekova
authored and
Commit Bot
committed
[turbofan] Fix memory corruption
Bug: chromium:997057 Change-Id: I821b91ff51f82e6325dae5719e1669142c82b05e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768579 Commit-Queue: Maya Lekova <[email protected]> Commit-Queue: Georg Neis <[email protected]> Reviewed-by: Georg Neis <[email protected]> Auto-Submit: Maya Lekova <[email protected]> Cr-Commit-Position: refs/heads/master@{#63369}
1 parent b1f6461 commit f16a3a7

2 files changed

Lines changed: 33 additions & 1 deletion

File tree

src/compiler/js-native-context-specialization.cc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1094,7 +1094,8 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
10941094
ZoneVector<PropertyAccessInfo> access_infos(zone());
10951095
FilterMapsAndGetPropertyAccessInfos(feedback, access_mode, receiver, effect,
10961096
&access_infos_for_feedback);
1097-
AccessInfoFactory access_info_factory(broker(), dependencies(), zone());
1097+
AccessInfoFactory access_info_factory(broker(), dependencies(),
1098+
graph()->zone());
10981099
if (!access_info_factory.FinalizePropertyAccessInfos(
10991100
access_infos_for_feedback, access_mode, &access_infos)) {
11001101
return NoChange();

test/mjsunit/regress/regress-crbug-997057.js

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
// Copyright 2019 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Flags: --no-lazy-feedback-allocation
6+
7+
arr0 = [];
8+
9+
var obj = {};
10+
11+
Array.prototype[12] = 10;
12+
arr0 = [];
13+
Array.prototype[0] = 153;
14+
15+
for (var elem in arr0) {
16+
obj.length = {
17+
toString: function () {
18+
}
19+
};
20+
}
21+
22+
function baz() {
23+
obj.length, arr0.length;
24+
}
25+
26+
var arr = [{}, [], {}];
27+
for (var i in arr) {
28+
baz();
29+
for (var j = 0; j < 100000; j++) {
30+
}
31+
}

0 commit comments

Comments
 (0)