[turbofan] Don't type-check in ObjectRef cast.

We use the object<T>() getter to extract the handle from an ObjectRef instance and cast it to Handle<T>. In DEBUG mode, the cast does a type check which accesses the heap. We must not access the heap though. This CL is a quick fix that skips the type check. Eventually we should replace the templatized accessor with a subclass-specific one to have some safety. Bug: v8:7790, v8:8316 Change-Id: I71048be2bc36570cce33b0e680824dd6bc407d14 Reviewed-on: https://chromium-review.googlesource.com/c/1282963 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#56756}
2018-10-16 17:39:13 +02:00 · 2018-10-16 17:39:13 +02:00 · 829760a561
commit 829760a561
parent 785b466af2
1 changed files with 1 additions and 2 deletions
--- a/src/compiler/js-heap-broker.h
+++ b/src/compiler/js-heap-broker.h
@ -89,8 +89,7 @@ class ObjectRef {
  // TODO(neis): Remove eventually.
  template <typename T>
  Handle<T> object() const {
-    AllowHandleDereference handle_dereference;
-    return Handle<T>::cast(object());
+    return Handle<T>(reinterpret_cast<T**>(object().address()));
  }

  bool IsSmi() const;