MigrateInstance(target) before Object.assign(target, ...)

If the target is deprecated, the object will be updated on first store. If the source for that store equals the target, this will invalidate the cached representation of the source. Preventively upgrade the target.

BUG=chromium:604300
LOG=n

Review URL: https://codereview.chromium.org/1905933002

Cr-Commit-Position: refs/heads/master@{#35770}

src/builtins.cc

@@ -1630,6 +1630,14 @@ MUST_USE_RESULT Maybe<bool> FastAssign(Handle<JSReceiver> to,
                 String::cast(*next_source)->length() == 0);
   }
 
+  // If the target is deprecated, the object will be updated on first store. If
+  // the source for that store equals the target, this will invalidate the
+  // cached representation of the source. Preventively upgrade the target.
+  // Do this on each iteration since any property load could cause deprecation.
+  if (to->map()->is_deprecated()) {
+    JSObject::MigrateInstance(Handle<JSObject>::cast(to));
+  }
+
   Isolate* isolate = to->GetIsolate();
   Handle<Map> map(JSReceiver::cast(*next_source)->map(), isolate);
 

test/mjsunit/regress/regress-object-assign-deprecated-2.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var x = {a:1, b:2};
+Object.defineProperty(x, "c", {set(v) {}})
+var y = {get c() { return {a:1, b:2.5} }};
+Object.assign(x, y, x);

test/mjsunit/regress/regress-object-assign-deprecated.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var x = {a:1, b:2};
+var y = {a:1, b:2.5};
+Object.assign(x, x);