[v8-dev] %ObjectFreeze needs to exclude non-fast-path objects. (issue 315533002)

[mvstanton]

Reviewers: Yang,

Message:
Hi Yang, here is one more, thx!
--Michael
Description:
%ObjectFreeze needs to exclude non-fast-path objects.

ClusterFuzz will call it with sloppy arguments and similar cases.

BUG=380049
LOG=N
R=yang...@chromium.org

Please review this at https://codereview.chromium.org/315533002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+12, -7 lines):
  M src/runtime.cc
  A + test/mjsunit/regress/regress-380049.js


Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index  
5971e33082b083d6292d2957dd5ef02b1e6fb04f..568efc1083566e2b517979fd5a4a4b5ead217e43  
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3258,6 +3258,12 @@ RUNTIME_FUNCTION(Runtime_ObjectFreeze) {
   HandleScope scope(isolate);
   ASSERT(args.length() == 1);
   CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
+
+  // %ObjectFreeze is a fast path and these cases are handled elsewhere.
+  RUNTIME_ASSERT(!object->HasSloppyArgumentsElements() &&
+                 !object->map()->is_observed() &&
+                 !object->IsJSProxy());
+
   Handle<Object> result;
   ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result,  
JSObject::Freeze(object));
   return *result;
Index: test/mjsunit/regress/regress-380049.js
diff --git a/test/mjsunit/regress/regress-355486.js  
b/test/mjsunit/regress/regress-380049.js
similarity index 64%
copy from test/mjsunit/regress/regress-355486.js
copy to test/mjsunit/regress/regress-380049.js
index  
55362a13416335b72bfa1ff92bc29f7a04edbd65..0b2b265fef27a8933bd825515fdeb814930751ef  
100644
--- a/test/mjsunit/regress/regress-355486.js
+++ b/test/mjsunit/regress/regress-380049.js
@@ -4,10 +4,9 @@

 // Flags: --allow-natives-syntax

-function f() { var v = arguments[0]; }
-function g() { f(); }
-
-g();
-g();
-%OptimizeFunctionOnNextCall(g);
-g();
+function foo(a,b,c) { return arguments; }
+var f = foo(false, null, 40);
+try {
+  %ObjectFreeze(f);
+} catch(e) {
+}


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.