[ptr-compr] Fix literal field copy iteration size

When iterating over fields to copy, we should copy kTagged-sized fields, not kPointer-sized fields, to avoid overwriting something allocated after the last slot of an object if the end of the object isn't kPointer aligned. Bug: v8:8948 Change-Id: Ic3d933157ca1962a779dba6ae58facb558d75ca0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718151 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#62912}
2019-07-25 13:49:20 +02:00 · 2019-07-25 13:49:20 +02:00 · 61a3f827ee
commit 61a3f827ee
parent 6c46b2031c
1 changed files with 2 additions and 2 deletions
--- a/src/builtins/builtins-constructor-gen.cc
+++ b/src/builtins/builtins-constructor-gen.cc
@ -538,8 +538,8 @@ Node* ConstructorBuiltinsAssembler::EmitCreateShallowObjectLiteral(
        StoreObjectFieldNoWriteBarrier(copy, offset.value(), field);
      } else {
        // Copy fields as raw data.
-        TNode<IntPtrT> field =
-            LoadObjectField<IntPtrT>(boilerplate, offset.value());
+        TNode<TaggedT> field =
+            LoadObjectField<TaggedT>(boilerplate, offset.value());
        StoreObjectFieldNoWriteBarrier(copy, offset.value(), field);
      }
      offset = IntPtrAdd(offset.value(), IntPtrConstant(kTaggedSize));