AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
52e07ffec5
v8/test/mjsunit/regress/regress-crbug-980168.js
Z Nguyen-Huu bf1ab278e1 Remove unnecessary DCHECK 
This DCHECK is unnecessary because the object can be sealed or frozen
before it is set as a prototype map.

The repro is
Object.seal(Object);// Object is HOLEY_FROZEN_ELEMENTS
const v3 = Object();
v3.__proto__ = Object; // Set prototype map bit and dictionary map bit
const v6 = Object.seal(Object); // Turn Object to DICTIONARY_ELEMENTS

Bug: chromium:980168
Change-Id: Iec50249d0ff0c5ed959201707b837871fcb88a02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687280
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62606}
2019-07-09 15:41:13 +00:00

57 lines
1.2 KiB
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap
// seal then freeze.
(function () {
const v1 = Object.seal(Object);
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.freeze(Object);
})();
// preventExtensions then freeze.
(function () {
const v1 = Object.preventExtensions(Object);
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.freeze(Object);
})();
// preventExtensions then seal.
(function () {
const v1 = Object.preventExtensions(Object);
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.seal(Object);
})();
// freeze.
(function () {
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.freeze(Object);
})();
// seal.
(function () {
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.seal(Object);
})();
// preventExtensions.
(function () {
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.preventExtensions(Object);
})();
Reference in New Issue View Git Blame Copy Permalink