[csa] Fix type casing in GetProperty
The checked node and used node were mismatched. It checked if "var_unique" is a string, but it used "key" which may not be a string. Bug: v8:4911, v8:7161, chromium:800077 Change-Id: Ia2aee8b77ac33500430365a4800bf9cca40a28fc Reviewed-on: https://chromium-review.googlesource.com/855138 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#50435}
This commit is contained in:
parent
244a05fb39
commit
864372000e
@ -7134,7 +7134,8 @@ void CodeStubAssembler::TryPrototypeChainLookup(
|
||||
GotoIfNot(InstanceTypeEqual(holder_instance_type, JS_TYPED_ARRAY_TYPE),
|
||||
&next_proto);
|
||||
GotoIfNot(IsString(var_unique.value()), &next_proto);
|
||||
BranchIfMaybeSpecialIndex(CAST(key), if_bailout, &next_proto);
|
||||
BranchIfMaybeSpecialIndex(CAST(var_unique.value()), if_bailout,
|
||||
&next_proto);
|
||||
}
|
||||
|
||||
BIND(&next_proto);
|
||||
|
6
test/mjsunit/regress/regress-crbug-800077.js
Normal file
6
test/mjsunit/regress/regress-crbug-800077.js
Normal file
@ -0,0 +1,6 @@
|
||||
// Copyright 2018 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
var sample = new Float64Array(1);
|
||||
Reflect.has(sample, undefined);
|
Loading…
Reference in New Issue
Block a user