diff options
| author | Georg Neis <neis@chromium.org> | 2020-01-15 11:31:10 +0100 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-05 15:03:25 +0000 |
| commit | 4a01d3a410354bc8fe2e6ef03d32cbe39a770204 (patch) | |
| tree | cceefa6bff1aec77952b6c9905a94ae5de83d300 | |
| parent | 1c3145818e41790ade2060c324d233b8a6787856 (diff) | |
| download | qtwebengine-chromium-4a01d3a410354bc8fe2e6ef03d32cbe39a770204.tar.gz | |
[Backport] Security bug 1031909
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2002388:
Merged: Squashed multiple commits.
Merged: [turbofan] fix type widening bug in RedundancyElimination
Revision: 3f7e99ac460c3ca689aac76c39fbdf1852c9a7be
Merged: [turbofan] fix type widening bug in RedundancyElimination, completely
Revision: 69b195c935b28857ee8e85c22af14837a0ce2c62
BUG=chromium:1031909
Change-Id: I471c05fa3d5e83bb5a8eb1ca23d92a9a142ed60a
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/v8/src/compiler/redundancy-elimination.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/redundancy-elimination.cc b/chromium/v8/src/compiler/redundancy-elimination.cc index 9b401bcf43f..860cbbb1aca 100644 --- a/chromium/v8/src/compiler/redundancy-elimination.cc +++ b/chromium/v8/src/compiler/redundancy-elimination.cc @@ -234,7 +234,7 @@ Node* RedundancyElimination::EffectPathChecks::LookupBoundsCheckFor( Node* node) const { for (Check const* check = head_; check != nullptr; check = check->next) { if (check->node->opcode() == IrOpcode::kCheckBounds && - check->node->InputAt(0) == node) { + check->node->InputAt(0) == node && TypeSubsumes(node, check->node)) { return check->node; } } |