[v8-dev] Merged r18241 into 3.23 branch. (issue 102803004)

[danno]

Reviewers: ulan,

Description:
Merged r18241 into 3.23 branch.
Check whether the receiver to a keyed-call is actually a heapobject.

LOG=N
BUG=325225
R=u...@chromium.org

Please review this at https://codereview.chromium.org/102803004/

SVN Base: https://v8.googlecode.com/svn/branches/3.23

Affected files (+15, -11 lines):
  M src/code-stubs-hydrogen.cc
  M src/version.cc
  A + test/mjsunit/regress/regress-crbug-325225.js


Index: src/code-stubs-hydrogen.cc
diff --git a/src/code-stubs-hydrogen.cc b/src/code-stubs-hydrogen.cc
index  
e52ec65c4b7632ac81cb082bfcd5d727cce3a574..96cfc378476943483ab2f6dc862f3cf3389848f9  
100644
--- a/src/code-stubs-hydrogen.cc
+++ b/src/code-stubs-hydrogen.cc
@@ -614,6 +614,7 @@ HValue*  
CodeStubGraphBuilder<KeyedArrayCallStub>::BuildCodeStub() {
   info()->set_parameter_count(argc);

   HValue* receiver = Add<HParameter>(1);
+  BuildCheckHeapObject(receiver);

   // Load the expected initial array map from the context.
   JSArrayBuilder array_builder(this, casted_stub()->elements_kind());
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index  
4c573323d60f34071bc8082946e75574d7589d1a..0571eb68ecc4f0ee972a623432904f467d4ab4b5  
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     23
 #define BUILD_NUMBER      17
-#define PATCH_LEVEL       1
+#define PATCH_LEVEL       2
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-325225.js
diff --git a/test/mjsunit/regress/regress-crbug-242870.js  
b/test/mjsunit/regress/regress-crbug-325225.js
similarity index 87%
copy from test/mjsunit/regress/regress-crbug-242870.js
copy to test/mjsunit/regress/regress-crbug-325225.js
index  
7183375ca811cedc81c870d34e694e98cf727f9b..798d54839d8404c00cb7a7542cc5c591d8e2ebaa  
100644
--- a/test/mjsunit/regress/regress-crbug-242870.js
+++ b/test/mjsunit/regress/regress-crbug-325225.js
@@ -25,19 +25,22 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-// Flags: --allow-natives-syntax
+function f1(a) {
+  a[0](0);
+}
+
+function do1() {
+  f1([f1]);
+}

-var non_const_true = true;
+assertThrows(do1, TypeError);

-function f() {
-  return (non_const_true || true && g());
+function f2(a) {
+  a[0](true);
 }

-function g() {
-  for (;;) {}
+function do2() {
+  f2([function(a) { return f2("undefined", typeof f2(42, 0)); }]);
 }

-assertTrue(f());
-assertTrue(f());
-%OptimizeFunctionOnNextCall(f);
-assertTrue(f());
+assertThrows(do2, TypeError);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.