Reviewers: Benedikt Meurer,
Description:
Fix invalid cast of heap constant object.
Previously we were casting to Operator1<Unique<Object>>, instead of the
correct type for heap constant objects, Operator1<Unique<HeapObject>>.
Cleanup for cfi_vptr=1; see
https://www.chromium.org/developers/testing/control-flow-integrity
BUG=chromium:457523
[email protected]
Please review this at https://codereview.chromium.org/1323863003/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+2, -1 lines):
M src/compiler/representation-change.h
Index: src/compiler/representation-change.h
diff --git a/src/compiler/representation-change.h
b/src/compiler/representation-change.h
index
ffb86d16a26709d657296ab749f9ee50716566e0..34dadf1317efbf475d124b010ef176bb4f9bb4b6
100644
--- a/src/compiler/representation-change.h
+++ b/src/compiler/representation-change.h
@@ -292,7 +292,8 @@ class RepresentationChanger {
// Eagerly fold representation changes for constants.
switch (node->opcode()) {
case IrOpcode::kHeapConstant: {
- Handle<Object> value = OpParameter<Unique<Object> >(node).handle();
+ Handle<HeapObject> value =
+ OpParameter<Unique<HeapObject>>(node).handle();
DCHECK(value.is_identical_to(factory()->true_value()) ||
value.is_identical_to(factory()->false_value()));
return jsgraph()->Int32Constant(
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
