blob: b18722448df834d33121f1f80612ab72e7e86d46 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 3c8f3a181afb7407ca6b8dd6605dcea3a8e78ba8 Mon Sep 17 00:00:00 2001
From: Elvis Pranskevichus <elvis@magic.io>
Date: Sat, 24 Mar 2018 13:34:10 -0400
Subject: [PATCH] Fix crankshaft RCE patch
---
patches/v8/crankshaft-hydrogen-rce.patch | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/patches/v8/crankshaft-hydrogen-rce.patch b/patches/v8/crankshaft-hydrogen-rce.patch
index d99d964..273705e 100644
--- a/patches/v8/crankshaft-hydrogen-rce.patch
+++ b/patches/v8/crankshaft-hydrogen-rce.patch
@@ -1,16 +1,17 @@
diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc
-index d55bb37..d595617 100644
+index d55bb37..2833c63 100644
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
-@@ -7176,7 +7176,10 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
+@@ -7176,8 +7176,11 @@ HValue* HOptimizedGraphBuilder::HandlePolymorphicElementAccess(
// Get transition target for each map (NULL == no transition).
for (int i = 0; i < maps->length(); ++i) {
Handle<Map> map = maps->at(i);
+ // Don't generate elements kind transitions from stable maps.
Map* transitioned_map =
+- map->FindElementsKindTransitionedMap(&possible_transitioned_maps);
+ map->is_stable()
+ ? nullptr
+ : map->FindElementsKindTransitionedMap(&possible_transitioned_maps);
-- map->FindElementsKindTransitionedMap(&possible_transitioned_maps);
if (transitioned_map != nullptr) {
transition_target.Add(handle(transitioned_map));
+ } else {
--
2.16.1
|
GitWeb
