d6efcbf022
Includes fixes for several ClusterFuzz regressions: 1) fix an invalid Handle-cast in ic.cc (chromium:866282) 2) fix for improper accounting of used/unused inobject fields, found by clusterfuzz (chromium:866357). 3) fix number of control outputs for the JSCloneObject operator to be used by IfSuccess and IfException nodes (chromium:866727). 4) fix property constness in out-of-object properties of fast-cloned object to be compatible with DCHECKs in StoreIC (chromium:866861). Also includes the fixups missing from the initial commit, and regression tests BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861 R=jkummerow@chromium.org, mvstanton@chromium.org TBR=rmcilroy@chromium.org Change-Id: I77220308482f16db2893c0dcebec36530d0f5540 Reviewed-on: https://chromium-review.googlesource.com/1146297 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#54706}
18 lines
695 B
JavaScript
18 lines
695 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Runtime_ObjectCloneIC_Slow() source argument must be a HeapObject handle,
|
|
// because undefined/null are allowed.
|
|
function spread(o) { return { ...o }; }
|
|
|
|
// Transition to MEGAMORPHIC
|
|
assertEquals({}, spread(new function C1() {}));
|
|
assertEquals({}, spread(new function C2() {}));
|
|
assertEquals({}, spread(new function C3() {}));
|
|
assertEquals({}, spread(new function C4() {}));
|
|
assertEquals({}, spread(new function C5() {}));
|
|
|
|
// Trigger Runtime_ObjectCloneIC_Slow() with a non-JSReceiver.
|
|
assertEquals({}, spread(undefined));
|