Fix assert caused by SloppyArgumentsElements introduction

There was a legacy place in map code that wasn't fully ported to use
the strong, new SloppyArgumentsElements type because of code that used
hard-coded constants.

Bug: chromium:1086470
Change-Id: Ieba152e4bd92c89125f831949c2efb4f4219f95c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2215059
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67984}
This commit is contained in:
Daniel Clifford 2020-05-26 17:00:38 +02:00 committed by Commit Bot
parent 7cd83ecb0d
commit fbb8dc4211
2 changed files with 25 additions and 2 deletions

View File

@ -25,6 +25,8 @@
#include "src/roots/roots.h" #include "src/roots/roots.h"
#include "src/utils/ostreams.h" #include "src/utils/ostreams.h"
#include "src/zone/zone-containers.h" #include "src/zone/zone-containers.h"
#include "torque-generated/exported-class-definitions-tq-inl.h"
#include "torque-generated/exported-class-definitions-tq.h"
#include "torque-generated/field-offsets-tq.h" #include "torque-generated/field-offsets-tq.h"
namespace v8 { namespace v8 {
@ -1437,8 +1439,9 @@ bool Map::MayHaveReadOnlyElementsInPrototypeChain(Isolate* isolate) {
} }
if (IsSlowArgumentsElementsKind(elements_kind)) { if (IsSlowArgumentsElementsKind(elements_kind)) {
FixedArray parameter_map = FixedArray::cast(current.elements(isolate)); SloppyArgumentsElements elements =
Object arguments = parameter_map.get(isolate, 1); SloppyArgumentsElements::cast(current.elements(isolate));
Object arguments = elements.arguments();
if (NumberDictionary::cast(arguments).requires_slow_elements()) { if (NumberDictionary::cast(arguments).requires_slow_elements()) {
return true; return true;
} }

View File

@ -0,0 +1,20 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function __f_1( __v_9) {
return arguments;
}
var __v_48 = [];
var __v_49 = __f_1();
var __v_50 = 3;
Object.preventExtensions(__v_49);
function __f_7(__v_52, __v_53, __v_54) {
__v_52[__v_53] =
__v_54;
}
__v_48.__proto__ = __v_49;
for (var __v_51 = 0; __v_51 < __v_50; __v_51++) {
__f_7(__v_48, __v_51);
}