commit 4fcd7307a538d9825c7dffbd36a2cd1225c7b6ce
author Leszek Swirski <leszeks@chromium.org> Wed Sep 14 14:22:23 2022
committer V8 LUCI CQ <v8-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Sep 14 15:02:48 2022
tree 84fedcddade5e38521b389151ade592362fd65d2
parent f3a0e8bccf6462c58ab7ea60ef83c7defcd98f9f

[maglev] Fix OOB check for elements

Bug: v8:7700
Change-Id: I0eaf1ffaaa2d759226b675b367a58bc0ea9a5da2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3895813
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83196}

src/maglev/maglev-ir.cc

diff --git a/src/maglev/maglev-ir.cc b/src/maglev/maglev-ir.cc
index 31280f4..3c32641 100644
--- a/src/maglev/maglev-ir.cc
+++ b/src/maglev/maglev-ir.cc
@@ -1412,9 +1412,8 @@
     __ CmpObjectType(object, FIRST_JS_OBJECT_TYPE, kScratchRegister);
     __ Assert(greater_equal, AbortReason::kUnexpectedValue);
   }
-  __ LoadAnyTaggedField(
-      kScratchRegister,
-      FieldOperand(object, JSReceiver::kPropertiesOrHashOffset));
+  __ LoadAnyTaggedField(kScratchRegister,
+                        FieldOperand(object, JSObject::kElementsOffset));
   if (FLAG_debug_code) {
     __ AssertNotSmi(kScratchRegister);
   }