f51e0368ea
This CL adds regression tests for two bugs where the wrong native context is used when lazy accessors are instantiated. The first bug injects an object created in context 1, into another context 2. The object has an accessor pair installed via FunctionTemplate. In context 2, the property descriptor of this accessor is retrieved, causing the JSFunction to be instantiated with the current context (context 2) instead of the creation context of the object (context 1). The second bug is similar. When breakpoints are set, the whole heap is walked and all lazy accessor pairs are instantiated. This again uses the current context instead of using the context from which a AccessorPair originates. Bug: chromium:986063, chromium:989909 Change-Id: Iaaea6e81f1b9f6b55fc7583b260aa9aea035a8d3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1730999 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#63048} |
||
|---|---|---|
| .. | ||
| access-check-unittest.cc | ||
| exception-unittest.cc | ||
| interceptor-unittest.cc | ||
| isolate-unittest.cc | ||
| remote-object-unittest.cc | ||
| resource-constraints-unittest.cc | ||
| v8-object-unittest.cc | ||