[crankshaft] OOB string access returns wrong value |
||||
Issue description
# Minimized program:
function foo() {
return 'x'[1];
}
print(foo());
%OptimizeFunctionOnNextCall(foo);
print(foo());
# Compared fullcode with default
# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1683665217 --nocrankshaft --turbo-filter=~
# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1683665217
Difference:
- undefined
+
### Start of configuration fullcode:
undefined
undefined
### End of configuration fullcode
### Start of configuration default:
undefined
### End of configuration default
,
Dec 13 2016
,
Dec 19 2016
,
Dec 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/576a46f5204b13cb09be82ee60232bd819d3e737 commit 576a46f5204b13cb09be82ee60232bd819d3e737 Author: ishell <ishell@chromium.org> Date: Tue Dec 20 10:01:59 2016 [crankshaft] Properly handle OOB string accesses. BUG= chromium:665793 Review-Url: https://codereview.chromium.org/2589823003 Cr-Commit-Position: refs/heads/master@{#41842} [modify] https://crrev.com/576a46f5204b13cb09be82ee60232bd819d3e737/src/crankshaft/hydrogen.cc [add] https://crrev.com/576a46f5204b13cb09be82ee60232bd819d3e737/test/mjsunit/regress/regress-crbug-665793.js
,
Dec 20 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by bmeu...@chromium.org
, Nov 17 2016Components: Blink>JavaScript>Compiler
Labels: Arch-All OS-All
Status: Available (was: Untriaged)
Summary: [crankshaft] OOB string access returns wrong value (was: Difference between fullcode and default: String access beyond length)