AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
b050bfdf5a
v8/test/mjsunit/regress/regress-crbug-992914.js
Z Nguyen-Huu 1f4bec2775 Add new nonextensible element kinds 
Currently the backing store and elements kind might not aligned aka
backing store can be dictionary where elements kind is frozen/sealed
element kinds or the other way around. The reason is that
Object.preventExtensions change elements kind to DICTIONARY while
Object.seal/freeze change elements kind to SEALED/FROZEN element kind.
Apply both these operations can lead to that problem as in
chromium:992914

To solve this issue, we avoid Object.preventExtensions to change backing
store to dictionary by introducing new nonextensible elements kind.
These new nonextensible elements kind are handled similar to frozen,
sealed element kinds. This change not only fixes the problem but also
optimize the performance of nonextensible objects.

Change-Id: Iffc7f14eb48223c11abf3c577f305d2d072eb65b
Bug: chromium:992914, v8:6831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760976
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63432}
2019-08-28 17:24:49 +00:00

60 lines
1.3 KiB
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function mainFreeze() {
const v2 = {foo:1.1};
Object.freeze(v2);
const v12 = {foo:2.2};
Object.preventExtensions(v12);
Object.freeze(v12);
const v18 = {foo:Object};
v12.__proto__ = 0;
v2[5] = 1;
}
mainFreeze();
function mainSeal() {
const v2 = {foo:1.1};
Object.seal(v2);
const v12 = {foo:2.2};
Object.preventExtensions(v12);
Object.seal(v12);
const v18 = {foo:Object};
v12.__proto__ = 0;
v2[5] = 1;
}
mainSeal();
function testSeal() {
a = new RangeError(null, null, null);
a.toFixed = () => {};
e = Object.seal(a);
a = new RangeError(null, null, null);
a.toFixed = () => {};
k = Object.preventExtensions(a);
l = Object.seal(a);
a.toFixed = () => {};
assertThrows(() => {
Array.prototype.unshift.call(l, false, Infinity);
}, TypeError);
}
testSeal();
function testFreeze() {
a = new RangeError(null, null, null);
a.toFixed = () => {};
e = Object.freeze(a);
a = new RangeError(null, null, null);
a.toFixed = () => {};
k = Object.preventExtensions(a);
l = Object.freeze(a);
a.toFixed = () => {};
assertThrows(() => {
Array.prototype.unshift.call(l, false, Infinity);
}, TypeError);
}
testFreeze();
Reference in New Issue View Git Blame Copy Permalink