Fix FastAssign for self-assignment

Storing a data property on |target| can change |source|'s map if |target| and |source| are the same object. BUG=chromium:716520 Review-Url: https://codereview.chromium.org/2855133006 Cr-Commit-Position: refs/heads/master@{#45097}
2017-05-04 06:41:08 -07:00 · 2017-05-04 06:41:08 -07:00 · 1f51f66f73
commit 1f51f66f73
parent 6548f76c92
2 changed files with 22 additions and 2 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -2062,11 +2062,10 @@ MUST_USE_RESULT Maybe<bool> FastAssign(

    if (use_set) {
      LookupIterator it(target, next_key, target);
-      bool call_to_js = it.IsFound() && it.state() != LookupIterator::DATA;
      Maybe<bool> result = Object::SetProperty(
          &it, prop_value, STRICT, Object::CERTAINLY_NOT_STORE_FROM_KEYED);
      if (result.IsNothing()) return result;
-      if (stable && call_to_js) stable = from->map() == *map;
+      if (stable) stable = from->map() == *map;
    } else {
      if (excluded_properties != nullptr &&
          HasExcludedProperty(excluded_properties, next_key)) {
--- a/test/mjsunit/regress/regress-crbug-716520.js
+++ b/test/mjsunit/regress/regress-crbug-716520.js
@ -0,0 +1,21 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var __v_0 = {};
+var __v_8 = this;
+var __v_11 = -1073741825;
+__v_1 = this;
+try {
+} catch(e) {; }
+  function __f_4() {}
+  __f_4.prototype = __v_0;
+  function __f_9() { return new __f_4().v; }
+  __f_9(); __f_9();
+try {
+(function() {
+})();
+} catch(e) {; }
+  Object.assign(__v_0, __v_1, __v_0);
+(function() {
+})();