Revision: 21624
Author: [email protected]
Date: Tue Jun 3 07:59:36 2014 UTC
Log: %ObjectFreeze needs to exclude non-fast-path objects.
ClusterFuzz will call it with sloppy arguments and similar cases.
BUG=380049
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/315533002
http://code.google.com/p/v8/source/detail?r=21624
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-380049.js
Modified:
/branches/bleeding_edge/src/runtime.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-380049.js Tue Jun
3 07:59:36 2014 UTC
@@ -0,0 +1,9 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a,b,c) { return arguments; }
+var f = foo(false, null, 40);
+assertThrows(function() { %ObjectFreeze(f); });
=======================================
--- /branches/bleeding_edge/src/runtime.cc Tue Jun 3 07:45:40 2014 UTC
+++ /branches/bleeding_edge/src/runtime.cc Tue Jun 3 07:59:36 2014 UTC
@@ -3266,6 +3266,12 @@
HandleScope scope(isolate);
ASSERT(args.length() == 1);
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
+
+ // %ObjectFreeze is a fast path and these cases are handled elsewhere.
+ RUNTIME_ASSERT(!object->HasSloppyArgumentsElements() &&
+ !object->map()->is_observed() &&
+ !object->IsJSProxy());
+
Handle<Object> result;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result,
JSObject::Freeze(object));
return *result;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
