Commit 37294105 authored by Caitlin Potter's avatar Caitlin Potter Committed by Commit Bot

[cloneobjectic] initialize property array before filling it

This avoids leaving the heap in an invalid state if a GC occurs during
population of the cloned property array, as is done in other IC
builtins.

BUG=chromium:904167, v8:7611
R=jkummerow@chromium.org, ishell@chromium.org

Change-Id: I0350ed2d65b72e299f7109b7d5aa86331f60e940
Reviewed-on: https://chromium-review.googlesource.com/c/1350282
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57879}
parent 3649dc18
......@@ -3616,6 +3616,8 @@ void AccessorAssembler::GenerateCloneObjectIC() {
auto mode = INTPTR_PARAMETERS;
var_properties = CAST(AllocatePropertyArray(length, mode));
FillPropertyArrayWithUndefined(var_properties.value(), IntPtrConstant(0),
length, mode);
CopyPropertyArrayValues(source_properties, var_properties.value(), length,
SKIP_WRITE_BARRIER, mode, DestroySource::kNo);
}
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Previously, spreading in-object properties would always treat double fields
// as tagged, potentially dereferencing a Float64.
// Ensure that we don't fail an assert from --verify-heap when cloning a
// MutableHeapNumber in the CloneObjectIC handler case.
var src, clone;
for (var i = 0; i < 40000; i++) {
src = { ...i, x: -9007199254740991 };
clone = { ...src };
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment