0a069d94df
This is a reland of 1a3a2bc335,
fixed an infinite loop in Map::TryUpdateSlow and added
a relevant test.
Original change's description:
> Fix accessor update of non-extensible maps.
>
> When installing getter/setter of non-extensible map with existing
> setter/getter of the same name, we introduce a new transition
> (so we have two transitions with the same name!). This triggers
> an assertion in map updater.
>
> This fix carefully checks that on the back-pointer path from
> non-extensible map to the extensible map there are only
> integrity level transitions. Otherwise, we just bail out.
>
> Bug: chromium:932953
> Change-Id: I02e91c3b652428a84a9f5c58b6691ea9b1fc44d6
> Reviewed-on: https://chromium-review.googlesource.com/c/1477067
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59667}
Bug: chromium:932953
Change-Id: I015ee3795f816c8eabb5b5c5cb0ee30f365cc972
Reviewed-on: https://chromium-review.googlesource.com/c/1477675
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59715}
60 lines
1.2 KiB
JavaScript
60 lines
1.2 KiB
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
(function NonExtensibleBetweenSetterAndGetter() {
|
|
o = {};
|
|
o.x = 42;
|
|
o.__defineGetter__("y", function() { });
|
|
Object.preventExtensions(o);
|
|
o.__defineSetter__("y", function() { });
|
|
o.x = 0.1;
|
|
})();
|
|
|
|
(function InterleavedIntegrityLevel() {
|
|
o = {};
|
|
o.x = 42;
|
|
o.__defineSetter__("y", function() { });
|
|
Object.preventExtensions(o);
|
|
o.__defineGetter__("y", function() { return 44; });
|
|
Object.seal(o);
|
|
o.x = 0.1;
|
|
assertEquals(44, o.y);
|
|
})();
|
|
|
|
(function TryUpdateRepeatedIntegrityLevel() {
|
|
function C() {
|
|
this.x = 0;
|
|
this.x = 1;
|
|
Object.preventExtensions(this);
|
|
Object.seal(this);
|
|
}
|
|
|
|
const o1 = new C();
|
|
const o2 = new C();
|
|
const o3 = new C();
|
|
|
|
function f(o) {
|
|
return o.x;
|
|
}
|
|
|
|
// Warm up the IC.
|
|
f(o1);
|
|
f(o1);
|
|
f(o1);
|
|
|
|
// Reconfigure to double field.
|
|
o3.x = 0.1;
|
|
|
|
// Migrate o2 to the new shape.
|
|
f(o2);
|
|
|
|
%OptimizeFunctionOnNextCall(f);
|
|
f(o1);
|
|
|
|
assertTrue(%HaveSameMap(o1, o2));
|
|
assertTrue(%HaveSameMap(o1, o3));
|
|
})();
|