3353a7d0b0
OptimizedFrame::Summarize is used by debugger features etc to inspect the frame of an optimized function (and the virtual frames of functions that got inlined). It could end up materializing a JSArray with the same backing store as one that would later get left-trimmed, resulting in a dangling elements pointer. This CL fixes that by creating a fresh copy of the elements store instead. Bug: chromium:1182647 Change-Id: Iaf329464520a927b0ba33166cad2524d3752c450 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2748593 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#73330}
26 lines
525 B
JavaScript
26 lines
525 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --verify-heap
|
|
|
|
function foo() {
|
|
const arr = Array(1000);
|
|
|
|
function bar() {
|
|
try { ({a: p4nda, b: arr.length}); } catch(e) {}
|
|
}
|
|
|
|
for (var i = 0; i < 25; i++) bar();
|
|
|
|
/p4nda/.test({}); // Deopt here.
|
|
|
|
arr.shift();
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(foo);
|
|
foo();
|
|
foo();
|
|
%OptimizeFunctionOnNextCall(foo);
|
|
foo();
|