[compiler] Fix bug in ContextRef::previous

My last CL introduced a null-pointer bug there. Bug: chromium:1126771, v8:7790 Change-Id: Ib16317dea14c9fbad7951cb28ce7bb8bb9ce41c3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2402037 Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#69799}
2020-09-10 09:45:47 +02:00 · 2020-09-10 09:45:47 +02:00 · c8303fe67d
commit c8303fe67d
parent adfdccc0f1
2 changed files with 46 additions and 1 deletions
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@ -2356,7 +2356,7 @@ ContextRef ContextRef::previous(size_t* depth,
  if (*depth == 0) return *this;

  ObjectData* previous_data = data()->AsContext()->previous(broker(), policy);
-  if (!previous_data->IsContext()) return *this;
+  if (previous_data == nullptr || !previous_data->IsContext()) return *this;

  *depth = *depth - 1;
  return ContextRef(broker(), previous_data).previous(depth, policy);
--- a/test/mjsunit/compiler/regress-1126771.js
+++ b/test/mjsunit/compiler/regress-1126771.js
@ -0,0 +1,45 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let __callGC;
+(function () {
+  __callGC = function() {};
+})();
+
+var __v_5 = {};
+var __v_9 = {x: {}};
+
+function main() {
+  function __f_6() { this.elms = new Array(); }
+  __f_6.prototype.size = function () { return this.elms.length; };
+  function __f_7() { this.v = new __f_6(); }
+  __f_7.prototype.add = function (__v_25) { this.v.elms.push(__v_25); };
+  __f_7.prototype.size = function () { return this.v.size(); };
+  __f_7.prototype.execute = function () {
+    for (var __v_28 = 0; __v_28 < this.size(); __v_28++) {
+      delete __v_9[__v_9, 538276];
+      __callGC();
+    }
+  };
+  var __v_22 = new __f_7();
+  for (var __v_23 = 0; __v_23 < 10; __v_23++) {
+    try {
+      if (__v_5 != null && typeof __v_5 == "object") {
+        try {
+          Object.defineProperty(__v_5, 807285, {get: function() {}});
+        } catch (e) {}
+      }
+      __v_22.add();
+    } catch (e) {}
+  }
+  __v_22.execute();
+}
+
+%PrepareFunctionForOptimization(main);
+main();
+main();
+%OptimizeFunctionOnNextCall(main);
+main();