Fix out-of-bounds read in SourcePositionToScriptPosition with --hydrogen-track-positions.

We were indexing into the list of inlined functions with inlining ID, which is incorrect. There can be multiple inlinining IDs corresponding to the same inlined function, because inlining ID is inlining path sensitive unique id for an inlining attempt. Additionally allow HAbnormalExit to have unknown source position even if we are tracking source positions. No code is generated from abnormal exits anyways. R=svenpanne@chromium.org BUG=v8:3184 LOG=N Review URL: https://codereview.chromium.org/653993005 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-10-15 12:06:41 +00:00 · 2014-10-15 12:06:41 +00:00 · 6fc00b4dea
commit 6fc00b4dea
parent 458db603a4
2 changed files with 9 additions and 7 deletions
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -144,7 +144,7 @@ void HBasicBlock::AddInstruction(HInstruction* instr,
      entry->set_position(position);
    } else {
      DCHECK(!FLAG_hydrogen_track_positions ||
-             !graph()->info()->IsOptimizing());
+             !graph()->info()->IsOptimizing() || instr->IsAbnormalExit());
    }
    first_ = last_ = entry;
  }
@ -3446,8 +3446,9 @@ HGraph::HGraph(CompilationInfo* info)
      maximum_environment_size_(0),
      no_side_effects_scope_count_(0),
      disallow_adding_new_values_(false),
-      next_inline_id_(0),
-      inlined_functions_(5, info->zone()) {
+      inlined_functions_(FLAG_hydrogen_track_positions ? 5 : 0, info->zone()),
+      inlining_id_to_function_id_(FLAG_hydrogen_track_positions ? 5 : 0,
+                                  info->zone()) {
  if (info->IsStub()) {
    CallInterfaceDescriptor descriptor =
        info->code_stub()->GetCallInterfaceDescriptor();
@ -3527,7 +3528,8 @@ int HGraph::TraceInlinedFunction(
    }
  }

-  int inline_id = next_inline_id_++;
+  int inline_id = inlining_id_to_function_id_.length();
+  inlining_id_to_function_id_.Add(id, zone());

  if (inline_id != 0) {
    CodeTracer::Scope tracing_scope(isolate()->GetCodeTracer());
@ -3546,8 +3548,8 @@ int HGraph::SourcePositionToScriptPosition(HSourcePosition pos) {
    return pos.raw();
  }

-  return inlined_functions_[pos.inlining_id()].start_position() +
-      pos.position();
+  const int id = inlining_id_to_function_id_[pos.inlining_id()];
+  return inlined_functions_[id].start_position() + pos.position();
 }


--- a/src/hydrogen.h
+++ b/src/hydrogen.h
@ -524,8 +524,8 @@ class HGraph FINAL : public ZoneObject {
    int start_position_;
  };

-  int next_inline_id_;
  ZoneList<InlinedFunctionInfo> inlined_functions_;
+  ZoneList<int> inlining_id_to_function_id_;

  DISALLOW_COPY_AND_ASSIGN(HGraph);
 };