AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
bf3202c8b8
v8/test/mjsunit/es9/regress/regress-866861.js
Caitlin Potter d6efcbf022 [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject 
Includes fixes for several ClusterFuzz regressions:

1) fix an invalid Handle-cast in ic.cc (chromium:866282)

2) fix for improper accounting of used/unused inobject
fields, found by clusterfuzz (chromium:866357).

3) fix number of control outputs for the JSCloneObject
operator to be used by IfSuccess and IfException nodes (chromium:866727).

4) fix property constness in out-of-object properties of fast-cloned
object to be compatible with DCHECKs in StoreIC (chromium:866861).

Also includes the fixups missing from the initial commit, and
regression tests

BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861
R=jkummerow@chromium.org, mvstanton@chromium.org
TBR=rmcilroy@chromium.org

Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
Reviewed-on: https://chromium-review.googlesource.com/1146297
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54706}
2018-07-25 21:23:05 +00:00

12 lines
370 B
JavaScript
Raw Blame History

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Check that property constness for out-of-object fields is valid
var o = {};
var toString = o.toString = function() {};
try {
assertEquals({ toString }, o = { ...o });
} catch (e) {}
o.toString = [];
Reference in New Issue View Git Blame Copy Permalink