9c1363e5ad
Deprecated maps might not be updated before being passed to PrepareForDataProperty. If the target map is a dictionary map, then adding the data property can fail. As a drive-by, remove the dead ForTransitionHandler code, which was another (potentially unsafe) caller of PrepareForDataProperty Bug: chromium:977012 Change-Id: I894bbc9bca2001555474a3570eb03fe6b0f69ddd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1674029 Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#62377}
18 lines
536 B
JavaScript
18 lines
536 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
function foo(arg) {
|
|
var ret = { x: arg };
|
|
ret.__defineSetter__("y", function() { });
|
|
return ret;
|
|
}
|
|
|
|
// v1 creates a map with a Smi field, v2 deprecates v1's map.
|
|
let v1 = foo(10);
|
|
let v2 = foo(10.5);
|
|
|
|
// Trigger a PrepareForDataProperty on v1, which also triggers an update to
|
|
// dictionary due to the different accessors on v1 and v2's y property.
|
|
v1.x = 20.5;
|