Reviewers: Igor Sheludko,
Message:
ptal
Description:
Reload the map of typed arrays after performing ToNumber.
BUG=chromium:507980
LOG=n
Please review this at https://codereview.chromium.org/1234553002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+22, -5 lines):
M src/lookup.h
M src/lookup.cc
M src/objects.cc
A + test/mjsunit/regress/regress-507980.js
Index: src/lookup.cc
diff --git a/src/lookup.cc b/src/lookup.cc
index
be18b3b7a182f010a177b875ab000002d4b8a31a..81793d344e7c334424eec385309c88649325ed76
100644
--- a/src/lookup.cc
+++ b/src/lookup.cc
@@ -101,6 +101,17 @@ void LookupIterator::ReloadPropertyInformation() {
}
+void LookupIterator::ReloadHolderMap() {
+ DCHECK_EQ(DATA, state_);
+ DCHECK(IsElement());
+ DCHECK(JSObject::cast(*holder_)->HasExternalArrayElements() ||
+ JSObject::cast(*holder_)->HasFixedTypedArrayElements());
+ if (*holder_map_ != holder_->map()) {
+ holder_map_ = handle(holder_->map(), isolate_);
+ }
+}
+
+
void LookupIterator::PrepareForDataProperty(Handle<Object> value) {
DCHECK(state_ == DATA || state_ == ACCESSOR);
DCHECK(HolderIsReceiverOrHiddenPrototype());
Index: src/lookup.h
diff --git a/src/lookup.h b/src/lookup.h
index
2fcf46429d6ddb41a500003f2fa3902333b5db3c..90edd8b43d032f94aa0661105792a1eeff62e1f9
100644
--- a/src/lookup.h
+++ b/src/lookup.h
@@ -239,6 +239,7 @@ class LookupIterator final BASE_EMBEDDED {
Handle<Object> GetDataValue() const;
void WriteDataValue(Handle<Object> value);
void InternalizeName();
+ void ReloadHolderMap();
private:
enum class InterceptorState {
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
d1488dd9d03ca8cb67f33841a7f38c33e9965ec3..be0fb6df12af30867c515782b5d6ab5979722a0d
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3292,6 +3292,12 @@ MaybeHandle<Object>
Object::SetDataProperty(LookupIterator* it,
ASSIGN_RETURN_ON_EXCEPTION(it->isolate(), to_assign,
Execution::ToNumber(it->isolate(), value),
Object);
+ // ToNumber above might modify the receiver, causing the cached
+ // holder_map to mismatch the actual holder->map() after this point.
+ // Reload the map to be in consistent state. Other cached state
cannot
+ // have been invalidated since typed array elements cannot be
reconfigured
+ // in any way.
+ it->ReloadHolderMap();
}
}
Index: test/mjsunit/regress/regress-507980.js
diff --git a/test/message/destructuring-modify-const.js
b/test/mjsunit/regress/regress-507980.js
similarity index 56%
copy from test/message/destructuring-modify-const.js
copy to test/mjsunit/regress/regress-507980.js
index
cabd924b37ea9f178259f4c979c3b3268920c713..d1a1f79f24e4458317fc6b8de5baa8bf45c0d1d9
100644
--- a/test/message/destructuring-modify-const.js
+++ b/test/mjsunit/regress/regress-507980.js
@@ -2,8 +2,7 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-// Flags: --harmony-destructuring
-'use strict';
-
-const { x : x, y : y } = { x : 1, y : 2 };
-x++;
+__v_1 = new Float64Array(1);
+__v_8 = { valueOf: function() { __v_13.y = "bar"; return 42; }};
+__v_13 = __v_1;
+__v_13[0] = __v_8;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
