From 0be25826c203263fc3dca4f12ca9fe00c3fb2929 Mon Sep 17 00:00:00 2001 From: xurui Date: Wed, 27 Sep 2023 04:48:24 -0400 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2023-4762?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: xurui --- src/compiler/js-native-context-specialization.cc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc index e766241cc..7525cd751 100644 --- a/src/compiler/js-native-context-specialization.cc +++ b/src/compiler/js-native-context-specialization.cc @@ -3204,15 +3204,21 @@ JSNativeContextSpecialization::BuildElementAccess( // the (potential) backing store growth would normalize and thus // the elements kind of the {receiver} would change to slow mode. // - // For PACKED_*_ELEMENTS the {index} must be within the range + // For JSArray PACKED_*_ELEMENTS the {index} must be within the range // [0,length+1[ to be valid. In case {index} equals {length}, // the {receiver} will be extended, but kept packed. + // + // Non-JSArray PACKED_*_ELEMENTS always grow by adding holes because they + // lack the magical length property, which requires a map transition. + // So we can assume that this did not happen if we did not see this map. Node* limit = IsHoleyElementsKind(elements_kind) ? graph()->NewNode(simplified()->NumberAdd(), elements_length, jsgraph()->Constant(JSObject::kMaxGap)) - : graph()->NewNode(simplified()->NumberAdd(), length, - jsgraph()->OneConstant()); + : receiver_is_jsarray + ? graph()->NewNode(simplified()->NumberAdd(), length, + jsgraph()->OneConstant()) + : elements_length; index = effect = graph()->NewNode( simplified()->CheckBounds( FeedbackSource(), CheckBoundsFlag::kConvertStringAndMinusZero), -- Gitee