From: bmeurer Date: Thu, 30 Jul 2015 09:16:12 +0000 (-0700) Subject: [turbofan] Fix invalid access to Parameter index. X-Git-Tag: upstream/4.7.83~1121 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=efab0b74ddfe44ef03cad6822910f178a1055aaa;p=platform%2Fupstream%2Fv8.git [turbofan] Fix invalid access to Parameter index. A Parameter operator contains a ParameterInfo payload, not an int payload, so the OpParameter cast is invalid (and only worked by coincidence currently). BUG=chromium:515215 LOG=n R=yangguo@chromium.org Review URL: https://codereview.chromium.org/1266743002 Cr-Commit-Position: refs/heads/master@{#29919} --- diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc index 3f4bd27ec..85b73c825 100644 --- a/src/compiler/typer.cc +++ b/src/compiler/typer.cc @@ -7,6 +7,7 @@ #include "src/base/flags.h" #include "src/base/lazy-instance.h" #include "src/bootstrapper.h" +#include "src/compiler/common-operator.h" #include "src/compiler/graph-reducer.h" #include "src/compiler/js-operator.h" #include "src/compiler/node.h" @@ -571,11 +572,11 @@ Bounds Typer::Visitor::TypeIfException(Node* node) { Bounds Typer::Visitor::TypeParameter(Node* node) { - int param = OpParameter(node); - Type::FunctionType* function_type = typer_->function_type(); - if (function_type != nullptr && param >= 0 && - param < static_cast(function_type->Arity())) { - return Bounds(Type::None(), function_type->Parameter(param)); + if (Type::FunctionType* function_type = typer_->function_type()) { + int const index = ParameterIndexOf(node->op()); + if (index >= 0 && index < function_type->Arity()) { + return Bounds(Type::None(), function_type->Parameter(index)); + } } return Bounds::Unbounded(zone()); }