| Index: src/compiler/js-inlining.cc
|
| diff --git a/src/compiler/js-inlining.cc b/src/compiler/js-inlining.cc
|
| index 35693308fd3d320ca6c854855632c4f062b7c988..13bb0f903240a873678ea65fc7cb0dd7a6e7a1ad 100644
|
| --- a/src/compiler/js-inlining.cc
|
| +++ b/src/compiler/js-inlining.cc
|
| @@ -238,11 +238,12 @@ Reduction JSInliner::Reduce(Node* node) {
|
| if (node->opcode() != IrOpcode::kJSCallFunction) return NoChange();
|
|
|
| JSCallFunctionAccessor call(node);
|
| - HeapObjectMatcher<JSFunction> match(call.jsfunction());
|
| + HeapObjectMatcher match(call.jsfunction());
|
| if (!match.HasValue()) return NoChange();
|
|
|
| - Handle<JSFunction> function = match.Value().handle();
|
| - if (!function->IsJSFunction()) return NoChange();
|
| + if (!match.Value().handle()->IsJSFunction()) return NoChange();
|
| + Handle<JSFunction> function =
|
| + Handle<JSFunction>::cast(match.Value().handle());
|
| if (mode_ == kRestrictedInlining && !function->shared()->force_inline()) {
|
| return NoChange();
|
| }
|
|
|
Chromium Code Reviews
Issue 1196623002:
[ubsan] Fix HeapObjectMatcher to avoid invalid casts. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master