Fix one more LookupIterator

Copying one object's named properties is always fine, even if one of the names could be a large index on a TypedArray. Mark the LookupIterator as OWN_SKIP_INTERCEPTOR to avoid the DCHECK. Bug: chromium:1044909 Change-Id: I6918186a4b50df7865de3572cb674fd7d6eadb78 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023558 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#66027}
2020-01-29 17:05:21 +01:00 · 2020-01-29 17:05:21 +01:00 · efaa34b5e5
commit efaa34b5e5
parent a35214a0c5
2 changed files with 18 additions and 2 deletions
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@ -244,9 +244,10 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastAssign(
          prop_value = JSObject::FastPropertyAt(from, representation, index);
        }
      } else {
+        LookupIterator it(isolate, from, next_key,
+                          LookupIterator::OWN_SKIP_INTERCEPTOR);
        ASSIGN_RETURN_ON_EXCEPTION_VALUE(
-            isolate, prop_value,
-            JSReceiver::GetProperty(isolate, from, next_key), Nothing<bool>());
+            isolate, prop_value, Object::GetProperty(&it), Nothing<bool>());
        stable = from->map() == *map;
        *descriptors.location() = map->instance_descriptors().ptr();
      }
--- a/test/mjsunit/regress/regress-crbug-1044909.js
+++ b/test/mjsunit/regress/regress-crbug-1044909.js
@ -0,0 +1,15 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function main() {
+  const v2 = Object.prototype;
+  v2[4294967296] = {};
+  const v12 = {get: function() {}};
+  Object.defineProperty(v2, 4294967296, v12);
+  const v15 = {...v2};
+}
+%PrepareFunctionForOptimization(main);
+main();