Reviewers: Igor Sheludko,
Description:
Version 4.5.103.16 (cherry-pick)
Merged 0b3d6f7a7dfaf645a4aba7e4fbb03da7b1ad2a7a
Reload the map of typed arrays after performing ToNumber.
BUG=chromium:507980
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/1274613002/
Base URL: https://chromium.googlesource.com/v8/[email protected]
Affected files (+23, -6 lines):
M include/v8-version.h
M src/lookup.h
M src/lookup.cc
M src/objects.cc
A + test/mjsunit/regress/regress-507980.js
Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index
c51edbbd35b5b0a99a3877573f4a48c387318b37..0a64e76e25a193027a1123be65f81932b3a7be4d
100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 4
#define V8_MINOR_VERSION 5
#define V8_BUILD_NUMBER 103
-#define V8_PATCH_LEVEL 15
+#define V8_PATCH_LEVEL 16
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
Index: src/lookup.cc
diff --git a/src/lookup.cc b/src/lookup.cc
index
be18b3b7a182f010a177b875ab000002d4b8a31a..81793d344e7c334424eec385309c88649325ed76
100644
--- a/src/lookup.cc
+++ b/src/lookup.cc
@@ -101,6 +101,17 @@ void LookupIterator::ReloadPropertyInformation() {
}
+void LookupIterator::ReloadHolderMap() {
+ DCHECK_EQ(DATA, state_);
+ DCHECK(IsElement());
+ DCHECK(JSObject::cast(*holder_)->HasExternalArrayElements() ||
+ JSObject::cast(*holder_)->HasFixedTypedArrayElements());
+ if (*holder_map_ != holder_->map()) {
+ holder_map_ = handle(holder_->map(), isolate_);
+ }
+}
+
+
void LookupIterator::PrepareForDataProperty(Handle<Object> value) {
DCHECK(state_ == DATA || state_ == ACCESSOR);
DCHECK(HolderIsReceiverOrHiddenPrototype());
Index: src/lookup.h
diff --git a/src/lookup.h b/src/lookup.h
index
2fcf46429d6ddb41a500003f2fa3902333b5db3c..90edd8b43d032f94aa0661105792a1eeff62e1f9
100644
--- a/src/lookup.h
+++ b/src/lookup.h
@@ -239,6 +239,7 @@ class LookupIterator final BASE_EMBEDDED {
Handle<Object> GetDataValue() const;
void WriteDataValue(Handle<Object> value);
void InternalizeName();
+ void ReloadHolderMap();
private:
enum class InterceptorState {
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
b14281a41bbbe9648a6838a292b811264596392b..d27247175cd49ccb75909488c436dec7233808f3
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3292,6 +3292,12 @@ MaybeHandle<Object>
Object::SetDataProperty(LookupIterator* it,
ASSIGN_RETURN_ON_EXCEPTION(it->isolate(), to_assign,
Execution::ToNumber(it->isolate(), value),
Object);
+ // ToNumber above might modify the receiver, causing the cached
+ // holder_map to mismatch the actual holder->map() after this point.
+ // Reload the map to be in consistent state. Other cached state
cannot
+ // have been invalidated since typed array elements cannot be
reconfigured
+ // in any way.
+ it->ReloadHolderMap();
}
}
Index: test/mjsunit/regress/regress-507980.js
diff --git a/test/message/destructuring-modify-const.js
b/test/mjsunit/regress/regress-507980.js
similarity index 56%
copy from test/message/destructuring-modify-const.js
copy to test/mjsunit/regress/regress-507980.js
index
cabd924b37ea9f178259f4c979c3b3268920c713..d1a1f79f24e4458317fc6b8de5baa8bf45c0d1d9
100644
--- a/test/message/destructuring-modify-const.js
+++ b/test/mjsunit/regress/regress-507980.js
@@ -2,8 +2,7 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-// Flags: --harmony-destructuring
-'use strict';
-
-const { x : x, y : y } = { x : 1, y : 2 };
-x++;
+__v_1 = new Float64Array(1);
+__v_8 = { valueOf: function() { __v_13.y = "bar"; return 42; }};
+__v_13 = __v_1;
+__v_13[0] = __v_8;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
