Reload the map of typed arrays after performing ToNumber.

BUG=chromium:507980 LOG=n Review URL: https://codereview.chromium.org/1234553002 Cr-Commit-Position: refs/heads/master@{#29570}

Reload the map of typed arrays after performing ToNumber.
BUG=chromium:507980 LOG=n Review URL: https://codereview.chromium.org/1234553002 Cr-Commit-Position: refs/heads/master@{#29570}
0b3d6f7a · verwaest · Commit bot · 40b64652 · 0b3d6f7a · 0b3d6f7a
Commit 0b3d6f7a authored Jul 10, 2015 by verwaest Committed by Commit bot Jul 10, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 0 deletions

lookup.cc src/lookup.cc +11 -0

lookup.h src/lookup.h +1 -0

objects.cc src/objects.cc +6 -0

regress-507980.js test/mjsunit/regress/regress-507980.js +8 -0

No files found.
--- a/src/lookup.cc
+++ b/src/lookup.cc
@@ -101,6 +101,17 @@ void LookupIterator::ReloadPropertyInformation() {
 }


+void LookupIterator::ReloadHolderMap() {
+  DCHECK_EQ(DATA, state_);
+  DCHECK(IsElement());
+  DCHECK(JSObject::cast(*holder_)->HasExternalArrayElements() ||
+         JSObject::cast(*holder_)->HasFixedTypedArrayElements());
+  if (*holder_map_ != holder_->map()) {
+    holder_map_ = handle(holder_->map(), isolate_);
+  }
+}
+
+
 void LookupIterator::PrepareForDataProperty(Handle<Object> value) {
  DCHECK(state_ == DATA || state_ == ACCESSOR);
  DCHECK(HolderIsReceiverOrHiddenPrototype());

--- a/src/lookup.h
+++ b/src/lookup.h
@@ -239,6 +239,7 @@ class LookupIterator final BASE_EMBEDDED {
  Handle<Object> GetDataValue() const;
  void WriteDataValue(Handle<Object> value);
  void InternalizeName();
+  void ReloadHolderMap();

 private:
  enum class InterceptorState {

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3292,6 +3292,12 @@ MaybeHandle<Object> Object::SetDataProperty(LookupIterator* it,
      ASSIGN_RETURN_ON_EXCEPTION(it->isolate(), to_assign,
                                 Execution::ToNumber(it->isolate(), value),
                                 Object);
+      // ToNumber above might modify the receiver, causing the cached
+      // holder_map to mismatch the actual holder->map() after this point.
+      // Reload the map to be in consistent state. Other cached state cannot
+      // have been invalidated since typed array elements cannot be reconfigured
+      // in any way.
+      it->ReloadHolderMap();
    }
  }


--- a/test/mjsunit/regress/regress-507980.js
+++ b/test/mjsunit/regress/regress-507980.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+__v_1 = new Float64Array(1);
+__v_8 = { valueOf: function() { __v_13.y = "bar"; return 42; }};
+__v_13 = __v_1;
+__v_13[0] = __v_8;