Reviewers: jarin,
Description:
Version 3.26.31.2 (merged r21743)
Fix invalid attributes when generalizing because of incompatible map change.
BUG=382143
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/321383002/
SVN Base: https://v8.googlecode.com/svn/branches/3.26
Affected files (+41, -9 lines):
M src/objects.h
M src/objects.cc
M src/version.cc
A test/mjsunit/regress/regress-crbug-382143.js
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
178b5fdae58ae5d3051f835071a7ae196841c3cf..bdd06b40fc6fb313a73a308b735908507a28d854
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2346,6 +2346,18 @@ Handle<Map>
Map::CopyGeneralizeAllRepresentations(Handle<Map> map,
}
+// static
+Handle<Map> Map::CopyGeneralizeAllRepresentations(Handle<Map> map,
+ int modify_index,
+ StoreMode store_mode,
+ const char* reason) {
+ PropertyDetails details =
+ map->instance_descriptors()->GetDetails(modify_index);
+ return CopyGeneralizeAllRepresentations(map, modify_index, store_mode,
+ details.attributes(), reason);
+}
+
+
void Map::DeprecateTransitionTree() {
if (is_deprecated()) return;
if (HasTransitionArray()) {
@@ -2591,8 +2603,8 @@ Handle<Map> Map::GeneralizeRepresentation(Handle<Map>
old_map,
// Check the state of the root map.
Handle<Map> root_map(old_map->FindRootMap(), isolate);
if (!old_map->EquivalentToForTransition(*root_map)) {
- return CopyGeneralizeAllRepresentations(old_map, modify_index,
store_mode,
- old_details.attributes(), "not equivalent");
+ return CopyGeneralizeAllRepresentations(
+ old_map, modify_index, store_mode, "not equivalent");
}
int root_nof = root_map->NumberOfOwnDescriptors();
if (modify_index < root_nof) {
@@ -2601,8 +2613,8 @@ Handle<Map> Map::GeneralizeRepresentation(Handle<Map>
old_map,
(old_details.type() == FIELD &&
(!new_field_type->NowIs(old_descriptors->GetFieldType(modify_index)) ||
!new_representation.fits_into(old_details.representation())))) {
- return CopyGeneralizeAllRepresentations(old_map, modify_index,
store_mode,
- old_details.attributes(), "root modification");
+ return CopyGeneralizeAllRepresentations(
+ old_map, modify_index, store_mode, "root modification");
}
}
@@ -2624,8 +2636,7 @@ Handle<Map> Map::GeneralizeRepresentation(Handle<Map>
old_map,
(tmp_type != old_type ||
tmp_descriptors->GetValue(i) != old_descriptors->GetValue(i)))) {
return CopyGeneralizeAllRepresentations(
- old_map, modify_index, store_mode,
- old_details.attributes(), "incompatible");
+ old_map, modify_index, store_mode, "incompatible");
}
Representation old_representation = old_details.representation();
Representation tmp_representation = tmp_details.representation();
@@ -2689,8 +2700,7 @@ Handle<Map> Map::GeneralizeRepresentation(Handle<Map>
old_map,
(tmp_details.type() != old_details.type() ||
tmp_descriptors->GetValue(i) != old_descriptors->GetValue(i)))) {
return CopyGeneralizeAllRepresentations(
- old_map, modify_index, store_mode,
- old_details.attributes(), "incompatible");
+ old_map, modify_index, store_mode, "incompatible");
}
target_map = tmp_map;
}
@@ -2733,6 +2743,7 @@ Handle<Map> Map::GeneralizeRepresentation(Handle<Map>
old_map,
target_details = target_details.CopyWithRepresentation(
new_representation.generalize(target_details.representation()));
}
+ ASSERT_EQ(old_details.attributes(), target_details.attributes());
if (old_details.type() == FIELD ||
target_details.type() == FIELD ||
(modify_index == i && store_mode == FORCE_FIELD) ||
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index
d607b04cad9188fa1659a42535ad9a18422110f3..c2c1a2b779b48a3989d0cac5cea4391d4360678f
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -6142,6 +6142,11 @@ class Map: public HeapObject {
StoreMode store_mode,
PropertyAttributes attributes,
const char* reason);
+ static Handle<Map> CopyGeneralizeAllRepresentations(
+ Handle<Map> map,
+ int modify_index,
+ StoreMode store_mode,
+ const char* reason);
static Handle<Map> Normalize(Handle<Map> map, PropertyNormalizationMode
mode);
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
e4de36a69d029fa5afda0a85af7d63b4d0100795..007343014f7746233016256db0596eb36097f233
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 26
#define BUILD_NUMBER 31
-#define PATCH_LEVEL 1
+#define PATCH_LEVEL 2
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-382143.js
diff --git a/test/mjsunit/regress/regress-crbug-382143.js
b/test/mjsunit/regress/regress-crbug-382143.js
new file mode 100644
index
0000000000000000000000000000000000000000..9f37b2e478c5f647bd02cb94a009c1c1453b083e
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-382143.js
@@ -0,0 +1,16 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function A() {
+ Object.defineProperty(this, "x", { set: function () {}, get: function ()
{}});
+ this.a = function () { return 1; }
+}
+
+function B() {
+ A.apply( this );
+ this.a = function () { return 2; }
+}
+
+var b = new B();
+assertTrue(Object.getOwnPropertyDescriptor(b, "a").enumerable);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
