[runtime] Fix overzealous check for derived constructor instance size

Bug: chromium:813427 Change-Id: Ie0b096b20f335648e7920c5ebe4ff0fa3b5ab9d5 Reviewed-on: https://chromium-review.googlesource.com/926003 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#51393}
2018-02-20 13:09:04 +01:00 · 2018-02-20 13:09:04 +01:00 · da83b61848
commit da83b61848
parent 18344ef408
2 changed files with 50 additions and 1 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -13075,7 +13075,7 @@ bool FastInitializeDerivedMap(Isolate* isolate, Handle<JSFunction> new_target,
  if (success) {
    int pre_allocated = constructor_initial_map->GetInObjectProperties() -
                        constructor_initial_map->UnusedPropertyFields();
-    CHECK_LE(constructor_initial_map->instance_size(), instance_size);
+    CHECK_LE(constructor_initial_map->UsedInstanceSize(), instance_size);
    int unused_property_fields = in_object_properties - pre_allocated;
    map = Map::CopyInitialMap(constructor_initial_map, instance_size,
                              in_object_properties, unused_property_fields);
--- a/test/mjsunit/regress/regress-crbug-813427.js
+++ b/test/mjsunit/regress/regress-crbug-813427.js
@ -0,0 +1,49 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Create {count} property assignments.
+function createPropertiesAssignment(count) {
+  let result = "";
+  for (let i = 0; i < count; i++) {
+    result += "this.p"+i+" = undefined;";
+  }
+  return result;
+}
+
+function testSubclassProtoProperties(count) {
+  const MyClass = eval(`(class MyClass {
+    constructor() {
+      ${createPropertiesAssignment(count)}
+    }
+  });`);
+
+  class BaseClass {};
+  class SubClass extends BaseClass {
+    constructor() {
+        super()
+    }
+  };
+
+  const boundMyClass = MyClass.bind();
+  %HeapObjectVerify(boundMyClass);
+
+  SubClass.__proto__ = boundMyClass;
+  var instance = new SubClass();
+
+  %HeapObjectVerify(instance);
+  // Create some more instances to complete in-object slack tracking.
+  let results = [];
+  for (let i = 0; i < 4000; i++) {
+    results.push(new SubClass());
+  }
+  var instance = new SubClass();
+  %HeapObjectVerify(instance);
+}
+
+
+for (let count = 0; count < 10; count++) {
+  testSubclassProtoProperties(count);
+}