Revision: 12803
Author: [email protected]
Date: Wed Oct 24 01:23:04 2012
Log: Merged r12785 into 3.13 branch.
Fix deletion of hidden property with inline-stored hash.
[email protected]
BUG=chromium:157124
TEST=cctest/test-api/Regress157124
Review URL: https://codereview.chromium.org/11269003
http://code.google.com/p/v8/source/detail?r=12803
Modified:
/branches/3.13/src/objects.cc
/branches/3.13/src/version.cc
/branches/3.13/test/cctest/test-api.cc
=======================================
--- /branches/3.13/src/objects.cc Fri Oct 12 07:02:49 2012
+++ /branches/3.13/src/objects.cc Wed Oct 24 01:23:04 2012
@@ -3557,7 +3557,6 @@
ASSERT(!IsJSGlobalProxy());
MaybeObject* hidden_lookup =
GetHiddenPropertiesHashTable(ONLY_RETURN_INLINE_VALUE);
- ASSERT(!hidden_lookup->IsFailure()); // No failure when passing false
as arg.
Object* inline_value = hidden_lookup->ToObjectUnchecked();
if (inline_value->IsSmi()) {
@@ -3598,13 +3597,11 @@
return JSObject::cast(proxy_parent)->SetHiddenProperty(key, value);
}
ASSERT(!IsJSGlobalProxy());
-
- // If there is no backing store yet, store the identity hash inline.
MaybeObject* hidden_lookup =
GetHiddenPropertiesHashTable(ONLY_RETURN_INLINE_VALUE);
- ASSERT(!hidden_lookup->IsFailure());
Object* inline_value = hidden_lookup->ToObjectUnchecked();
+ // If there is no backing store yet, store the identity hash inline.
if (value->IsSmi() &&
key == GetHeap()->identity_hash_symbol() &&
(inline_value->IsUndefined() || inline_value->IsSmi())) {
@@ -3641,15 +3638,16 @@
JSObject::cast(proxy_parent)->DeleteHiddenProperty(key);
return;
}
+ ASSERT(!IsJSGlobalProxy());
MaybeObject* hidden_lookup =
GetHiddenPropertiesHashTable(ONLY_RETURN_INLINE_VALUE);
- ASSERT(!hidden_lookup->IsFailure()); // No failure when passing false
as arg.
- if (hidden_lookup->ToObjectUnchecked()->IsUndefined()) return;
+ Object* inline_value = hidden_lookup->ToObjectUnchecked();
+
// We never delete (inline-stored) identity hashes.
- ASSERT(!hidden_lookup->ToObjectUnchecked()->IsSmi());
+ ASSERT(key != GetHeap()->identity_hash_symbol());
+ if (inline_value->IsUndefined() || inline_value->IsSmi()) return;
- ObjectHashTable* hashtable =
- ObjectHashTable::cast(hidden_lookup->ToObjectUnchecked());
+ ObjectHashTable* hashtable = ObjectHashTable::cast(inline_value);
MaybeObject* delete_result = hashtable->Put(key,
GetHeap()->the_hole_value());
USE(delete_result);
ASSERT(!delete_result->IsFailure()); // Delete does not cause GC.
=======================================
--- /branches/3.13/src/version.cc Fri Oct 12 07:02:49 2012
+++ /branches/3.13/src/version.cc Wed Oct 24 01:23:04 2012
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 13
#define BUILD_NUMBER 7
-#define PATCH_LEVEL 4
+#define PATCH_LEVEL 5
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
=======================================
--- /branches/3.13/test/cctest/test-api.cc Fri Oct 12 07:02:49 2012
+++ /branches/3.13/test/cctest/test-api.cc Wed Oct 24 01:23:04 2012
@@ -17443,6 +17443,16 @@
context->Global()->Set(v8_str("Bug"), templ->GetFunction());
CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();");
}
+
+
+THREADED_TEST(Regress157124) {
+ v8::HandleScope scope;
+ LocalContext context;
+ Local<ObjectTemplate> templ = ObjectTemplate::New();
+ Local<Object> obj = templ->NewInstance();
+ obj->GetIdentityHash();
+ obj->DeleteHiddenValue(v8_str("Bug"));
+}
#ifndef WIN32
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
