Revision: 18754
Author: [email protected]
Date: Wed Jan 22 14:02:00 2014 UTC
Log: Ensure we don't overwrite transitions in
SetPropertyIgnoreAttributes.
BUG=326155
LOG=y
[email protected]
Review URL: https://codereview.chromium.org/134733011
http://code.google.com/p/v8/source/detail?r=18754
Modified:
/branches/bleeding_edge/src/objects-inl.h
/branches/bleeding_edge/src/objects.cc
/branches/bleeding_edge/test/cctest/test-api.cc
=======================================
--- /branches/bleeding_edge/src/objects-inl.h Fri Jan 17 10:27:57 2014 UTC
+++ /branches/bleeding_edge/src/objects-inl.h Wed Jan 22 14:02:00 2014 UTC
@@ -4780,6 +4780,17 @@
// When there is another reference to the array somewhere (e.g. a
handle),
// not zapping turns from a waste of memory into a source of crashes.
if (HasTransitionArray()) {
+#ifdef DEBUG
+ for (int i = 0; i < transitions()->number_of_transitions(); i++) {
+ Map* target = transitions()->GetTarget(i);
+ if (target->instance_descriptors() == instance_descriptors()) {
+ Name* key = transitions()->GetKey(i);
+ int new_target_index = transition_array->Search(key);
+ ASSERT(new_target_index != TransitionArray::kNotFound);
+ ASSERT(transition_array->GetTarget(new_target_index) == target);
+ }
+ }
+#endif
ASSERT(transitions() != transition_array);
ZapTransitions();
}
=======================================
--- /branches/bleeding_edge/src/objects.cc Wed Jan 22 08:46:39 2014 UTC
+++ /branches/bleeding_edge/src/objects.cc Wed Jan 22 14:02:00 2014 UTC
@@ -4218,9 +4218,12 @@
// Check for accessor in prototype chain removed here in clone.
if (!lookup.IsFound()) {
+ object->map()->LookupTransition(*object, *name, &lookup);
+ TransitionFlag flag = lookup.IsFound()
+ ? OMIT_TRANSITION : INSERT_TRANSITION;
// Neither properties nor transitions found.
return AddProperty(object, name, value, attributes, kNonStrictMode,
- MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode);
+ MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode,
flag);
}
Handle<Object> old_value = isolate->factory()->the_hole_value();
=======================================
--- /branches/bleeding_edge/test/cctest/test-api.cc Mon Jan 20 15:44:03
2014 UTC
+++ /branches/bleeding_edge/test/cctest/test-api.cc Wed Jan 22 14:02:00
2014 UTC
@@ -1997,6 +1997,21 @@
ExpectInt32("child.age", 10);
ExpectInt32("child.accessor_age", 10);
}
+
+
+THREADED_TEST(EmptyInterceptorBreakTransitions) {
+ v8::HandleScope scope(CcTest::isolate());
+ Handle<FunctionTemplate> templ =
FunctionTemplate::New(CcTest::isolate());
+ AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
+ LocalContext env;
+ env->Global()->Set(v8_str("Constructor"), templ->GetFunction());
+ CompileRun("var o1 = new Constructor;"
+ "o1.a = 1;" // Ensure a and x share the descriptor array.
+ "Object.defineProperty(o1, 'x', {value: 10});");
+ CompileRun("var o2 = new Constructor;"
+ "o2.a = 1;"
+ "Object.defineProperty(o2, 'x', {value: 10});");
+}
THREADED_TEST(EmptyInterceptorDoesNotShadowJSAccessors) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
