[wasm] Fix free object pointer access followed by allocation
Straight forward bug - we took a naked pointer after which we perform an allocation. Bug: chromium:793671 Change-Id: I0cebd606c31edaca27abedc19bc878204eb9a18b Reviewed-on: https://chromium-review.googlesource.com/818634 Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50003}
This commit is contained in:
parent
4c6927f7a6
commit
e33a911ade
@ -844,12 +844,13 @@ Address CompileLazy(Isolate* isolate) {
|
||||
// See EnsureExportedLazyDeoptData: exp_deopt_data[0...(len-1)] are pairs
|
||||
// of <export_table, index> followed by undefined values. Use this
|
||||
// information here to patch all export tables.
|
||||
Handle<Foreign> foreign_holder =
|
||||
isolate->factory()->NewForeign(result->instructions().start(), TENURED);
|
||||
for (int idx = 0, end = exp_deopt_data->length(); idx < end; idx += 2) {
|
||||
if (exp_deopt_data->get(idx)->IsUndefined(isolate)) break;
|
||||
FixedArray* exp_table = FixedArray::cast(exp_deopt_data->get(idx));
|
||||
DisallowHeapAllocation no_gc;
|
||||
int exp_index = Smi::ToInt(exp_deopt_data->get(idx + 1));
|
||||
Handle<Foreign> foreign_holder = isolate->factory()->NewForeign(
|
||||
result->instructions().start(), TENURED);
|
||||
FixedArray* exp_table = FixedArray::cast(exp_deopt_data->get(idx));
|
||||
exp_table->set(exp_index, *foreign_holder);
|
||||
}
|
||||
// TODO(6792): No longer needed once WebAssembly code is off heap.
|
||||
|
Loading…
Reference in New Issue
Block a user