From 8fe610a36b44e25f99f72620e38766176487e48c Mon Sep 17 00:00:00 2001
From: Heejin Ahn <aheejin@gmail.com>
Date: Wed, 13 Jan 2021 06:43:32 -0800
Subject: [PATCH] Fix an index error in ArenaVectorBase

Because `resize()` sets `usedElements` to its argument, we were
accessing `data[usedElements]`, which can be outside of allocated memory
depending the internal state, i.e., `allocatedElements`'s value.

It is hard to come up with a test case for this because apparently the
failure condition depends on the vector's internal state.
---
 src/mixed_arena.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mixed_arena.h b/src/mixed_arena.h
index 9ae19f94d5c..b4822680b6a 100644
--- a/src/mixed_arena.h
+++ b/src/mixed_arena.h
@@ -370,7 +370,7 @@ template<typename SubType, typename T> class ArenaVectorBase {
   void insertAt(size_t index, T item) {
     assert(index <= usedElements); // appending is ok
     resize(usedElements + 1);
-    for (auto i = usedElements; i > index; --i) {
+    for (auto i = usedElements - 1; i > index; --i) {
       data[i] = data[i - 1];
     }
     data[index] = item;