[v8-dev] Mark proxy maps as unstable. (issue 1158023003 by [email protected])

Fri, 29 May 2015 06:49:43 -0700 

Reviewers: Toon Verwaest,

Message:
PTALCQ

Description:
Mark proxy maps as unstable.

BUG=chromium:493568
LOG=N

Please review this at https://codereview.chromium.org/1158023003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+9, -8 lines):
  M src/factory.cc
  A + test/mjsunit/regress/regress-crbug-493568.js


Index: src/factory.cc
diff --git a/src/factory.cc b/src/factory.cc
index f4b609a7f94fd882faacfe89847d8c495cf58456..418f727d66180869654e58889b896b741eee1c42 100644 
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1984,6 +1984,9 @@ Handle<JSProxy> Factory::NewJSProxy(Handle<Object> handler, 
   // maps. Will probably depend on the identity of the handler object, too.
   Handle<Map> map = NewMap(JS_PROXY_TYPE, JSProxy::kSize);
   Map::SetPrototype(map, prototype);
+ // Do not treat proxy maps as stable since a proxy object may silently turn 
+  // into a JSObject by freezing, sealing or preventing extensions.
+  map->mark_unstable();

   // Allocate the proxy object.
   Handle<JSProxy> result = New<JSProxy>(map, NEW_SPACE);
Index: test/mjsunit/regress/regress-crbug-493568.js
diff --git a/test/mjsunit/harmony/regress/regress-crbug-448730.js b/test/mjsunit/regress/regress-crbug-493568.js 
similarity index 57%
copy from test/mjsunit/harmony/regress/regress-crbug-448730.js
copy to test/mjsunit/regress/regress-crbug-493568.js
index 31d276aa839cdf649b2da1ad54138cc4f9418b81..081f4937fee396568c179cf63ccc69e63a90a382 100644 
--- a/test/mjsunit/harmony/regress/regress-crbug-448730.js
+++ b/test/mjsunit/regress/regress-crbug-493568.js
@@ -4,11 +4,9 @@

 // Flags: --allow-natives-syntax --harmony-proxies

-function bar() {}
-bar({ a: Proxy.create({}) });
-function foo(x) { x.a.b == ""; }
-var x = {a: {b: "" }};
-foo(x);
-foo(x);
-%OptimizeFunctionOnNextCall(foo);
-foo(x);
+var p = Proxy.create({ fix: function() { return {}; } });
+
+var obj = {};
+obj.x = p;
+
+Object.preventExtensions(p);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to