Reviewers: Jakob,
Description:
Merged r18754 into 3.22 branch.
Ensure we don't overwrite transitions in SetPropertyIgnoreAttributes.
BUG=326155
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/140673004/
SVN Base: https://v8.googlecode.com/svn/branches/3.22
Affected files (+31, -2 lines):
M src/objects-inl.h
M src/objects.cc
M src/version.cc
M test/cctest/test-api.cc
Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index
deb33653f7844c70ae9d848f5a59e62cbbe43989..929ad11bfe0466141aa7dd150de8e5fd09ae1f78
100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4422,6 +4422,17 @@ void Map::set_transitions(TransitionArray*
transition_array,
// When there is another reference to the array somewhere (e.g. a
handle),
// not zapping turns from a waste of memory into a source of crashes.
if (HasTransitionArray()) {
+#ifdef DEBUG
+ for (int i = 0; i < transitions()->number_of_transitions(); i++) {
+ Map* target = transitions()->GetTarget(i);
+ if (target->instance_descriptors() == instance_descriptors()) {
+ Name* key = transitions()->GetKey(i);
+ int new_target_index = transition_array->Search(key);
+ ASSERT(new_target_index != TransitionArray::kNotFound);
+ ASSERT(transition_array->GetTarget(new_target_index) == target);
+ }
+ }
+#endif
ASSERT(transitions() != transition_array);
ZapTransitions();
}
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
cf51024c867c9d74f8a00b3c4c3e130d04139afb..9fddb8330a635f640f4a013659e7f530838cdcfa
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4186,9 +4186,12 @@ Handle<Object>
JSObject::SetLocalPropertyIgnoreAttributes(
// Check for accessor in prototype chain removed here in clone.
if (!lookup.IsFound()) {
+ object->map()->LookupTransition(*object, *name, &lookup);
+ TransitionFlag flag = lookup.IsFound()
+ ? OMIT_TRANSITION : INSERT_TRANSITION;
// Neither properties nor transitions found.
return AddProperty(object, name, value, attributes, kNonStrictMode,
- MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode);
+ MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode,
flag);
}
Handle<Object> old_value = isolate->factory()->the_hole_value();
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
fa89770466e67e620a0d2c306e7e28acae11b5e5..cecdee4e059369ad5c33f4a345f5288d18f40ff7
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 22
#define BUILD_NUMBER 24
-#define PATCH_LEVEL 19
+#define PATCH_LEVEL 20
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index
d5e838ebe09618a6dbc3dcdd567d5d0136482cc2..d6fce3e54e04f5554c30853e666449e783ddc0dd
100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -1938,6 +1938,21 @@ void AddInterceptor(Handle<FunctionTemplate> templ,
}
+THREADED_TEST(EmptyInterceptorBreakTransitions) {
+ v8::HandleScope scope(CcTest::isolate());
+ Handle<FunctionTemplate> templ = FunctionTemplate::New();
+ AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
+ LocalContext env;
+ env->Global()->Set(v8_str("Constructor"), templ->GetFunction());
+ CompileRun("var o1 = new Constructor;"
+ "o1.a = 1;" // Ensure a and x share the descriptor array.
+ "Object.defineProperty(o1, 'x', {value: 10});");
+ CompileRun("var o2 = new Constructor;"
+ "o2.a = 1;"
+ "Object.defineProperty(o2, 'x', {value: 10});");
+}
+
+
THREADED_TEST(EmptyInterceptorDoesNotShadowAccessors) {
v8::HandleScope scope(CcTest::isolate());
Handle<FunctionTemplate> parent = FunctionTemplate::New();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
