v8/test/mjsunit/es9/regress/regress-902965.js
Caitlin Potter 3e010af274 [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields
Change the macros added in bf84766a2c to
only do the hard work if FLAG_unbox_double_fields is unset (otherwise,
they will attempt to dereference raw float64s, which is bad!)

Also adds a write barrier in CopyPropertyArrayValues for each store if
it's possible that a MutableHeapNumber is cloned.

BUG=chromium:901301, chromium:902965, chromium:903070, v8:7611
R=cbruni@chromium.org, jkummerow@chromium.org, ishell@chromium.org

Change-Id: I224d3c4e7b0a887684bff68985b4d97021ba4cfb
Reviewed-on: https://chromium-review.googlesource.com/c/1323911
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57368}
2018-11-08 19:14:11 +00:00

13 lines
432 B
JavaScript

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Previously, spreading in-object properties would always treat double fields
// as tagged, potentially dereferencing a Float64.
function inobjectDouble() {
"use strict";
this.x = -3.9;
}
const instance = new inobjectDouble();
const clone = { ...instance, };