6a597c672a
Fix uses of cached descriptors arrays used in loops that map-check to ensure validity of the cache to also reload the descriptor in case there are missed in-place representation updates. As a drive-by, introduce inner HandleScopes for these loops. Bug: chromium:1012301 Change-Id: I17273caf629a181b846d3c09777b5c08fd8cbb0e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1859621 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#64287}
28 lines
888 B
JavaScript
28 lines
888 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
function get() {
|
|
// Update the descriptor array now shared between the Foo map and the
|
|
// (Foo + c) map.
|
|
o1.c = 10;
|
|
// Change the type of the field on the new descriptor array in-place to
|
|
// Tagged. If Object.assign has a cached descriptor array, then it will point
|
|
// to the old Foo map's descriptors, which still have .b as Double.
|
|
o2.b = "string";
|
|
return 1;
|
|
}
|
|
|
|
function Foo() {
|
|
Object.defineProperty(this, "a", {get, enumerable: true});
|
|
// Initialise Foo.b to have Double representation.
|
|
this.b = 1.5;
|
|
}
|
|
|
|
var o1 = new Foo();
|
|
var o2 = new Foo();
|
|
var target = {};
|
|
Object.assign(target, o2);
|
|
// Make sure that target has the right representation after assignment.
|
|
assertEquals(target.b, "string");
|