• Caitlin Potter's avatar
    [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject · d6efcbf0
    Caitlin Potter authored
    Includes fixes for several ClusterFuzz regressions:
    
    1) fix an invalid Handle-cast in ic.cc (chromium:866282)
    
    2) fix for improper accounting of used/unused inobject
    fields, found by clusterfuzz (chromium:866357).
    
    3) fix number of control outputs for the JSCloneObject
    operator to be used by IfSuccess and IfException nodes (chromium:866727).
    
    4) fix property constness in out-of-object properties of fast-cloned
    object to be compatible with DCHECKs in StoreIC (chromium:866861).
    
    Also includes the fixups missing from the initial commit, and
    regression tests
    
    BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861
    R=jkummerow@chromium.org, mvstanton@chromium.org
    TBR=rmcilroy@chromium.org
    
    Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
    Reviewed-on: https://chromium-review.googlesource.com/1146297
    Commit-Queue: Caitlin Potter <caitp@igalia.com>
    Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
    Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#54706}
    d6efcbf0
regress-866282.js 695 Bytes