Commit 1a2e4b26 authored by ishell's avatar ishell Committed by Commit bot

Map::CopyGeneralizeAllRepresentations() left incorrect layout descriptor in a new map.

BUG=chromium:436820
LOG=N

Review URL: https://codereview.chromium.org/759823004

Cr-Commit-Position: refs/heads/master@{#25530}
parent 0ea30611
...@@ -2183,17 +2183,24 @@ Handle<Map> Map::CopyGeneralizeAllRepresentations(Handle<Map> map, ...@@ -2183,17 +2183,24 @@ Handle<Map> Map::CopyGeneralizeAllRepresentations(Handle<Map> map,
PropertyAttributes attributes, PropertyAttributes attributes,
const char* reason) { const char* reason) {
Isolate* isolate = map->GetIsolate(); Isolate* isolate = map->GetIsolate();
Handle<Map> new_map = Copy(map, reason); Handle<DescriptorArray> old_descriptors(map->instance_descriptors(), isolate);
int number_of_own_descriptors = map->NumberOfOwnDescriptors();
Handle<DescriptorArray> descriptors =
DescriptorArray::CopyUpTo(old_descriptors, number_of_own_descriptors);
DescriptorArray* descriptors = new_map->instance_descriptors(); for (int i = 0; i < number_of_own_descriptors; i++) {
int length = descriptors->number_of_descriptors();
for (int i = 0; i < length; i++) {
descriptors->SetRepresentation(i, Representation::Tagged()); descriptors->SetRepresentation(i, Representation::Tagged());
if (descriptors->GetDetails(i).type() == FIELD) { if (descriptors->GetDetails(i).type() == FIELD) {
descriptors->SetValue(i, HeapType::Any()); descriptors->SetValue(i, HeapType::Any());
} }
} }
Handle<LayoutDescriptor> new_layout_descriptor(
LayoutDescriptor::FastPointerLayout(), isolate);
Handle<Map> new_map =
CopyReplaceDescriptors(map, descriptors, new_layout_descriptor,
OMIT_TRANSITION, MaybeHandle<Name>(), reason);
// Unless the instance is being migrated, ensure that modify_index is a field. // Unless the instance is being migrated, ensure that modify_index is a field.
PropertyDetails details = descriptors->GetDetails(modify_index); PropertyDetails details = descriptors->GetDetails(modify_index);
if (store_mode == FORCE_FIELD && if (store_mode == FORCE_FIELD &&
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function c(p) {
return {__proto__: p};
}
var p = {};
var o = c(p);
p.x = 0.6;
Object.defineProperty(p, "x", { writable: false });
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment