commit 6516b1ccbe6f549d2aa2fe24510f73eb3a33b41a
author Georg Neis <neis@chromium.org> Thu Feb 13 08:57:14 2020
committer Commit Bot <commit-bot@chromium.org> Thu Feb 13 12:27:45 2020
tree 53b17db3ba6b845366f59dfccf7529316c47e0ad
parent 73f88b5f69077ef33169361f884f31872a6d56ac

[turbofan] Harden ReduceJSCreateArray against typing bugs

Bug: chromium:1051017
Change-Id: I597363417d905bc65522d64ebfa2cbf9dde4b98f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054086
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66255}

src/compiler/js-create-lowering.cc

diff --git a/src/compiler/js-create-lowering.cc b/src/compiler/js-create-lowering.cc
index ff057a4..77da973 100644
--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
@@ -672,6 +672,9 @@
         length_type.Max() <= kElementLoopUnrollLimit &&
         length_type.Min() == length_type.Max()) {
       int capacity = static_cast<int>(length_type.Max());
+      // Replace length with a constant in order to protect against a potential
+      // typer bug leading to length > capacity.
+      length = jsgraph()->Constant(capacity);
       return ReduceNewArray(node, length, capacity, *initial_map, elements_kind,
                             allocation, slack_tracking_prediction);
     }