Commit 4b0916a2 authored by Toon Verwaest's avatar Toon Verwaest Committed by Commit Bot

[keys] Make sure we don't leak the enum cache in slow-mode for/in

An enum cache can only be referenced together with the map that owns the
entries that are needed. Otherwise the entires can be trimmed away if
the map dies because of transitions.

Bug: chromium:1050046
Change-Id: I5bc9dd65ca092c3d5ebc08ce553f6f1dc980d41b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2066959
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66375}
parent 93d35279
......@@ -605,8 +605,14 @@ MaybeHandle<FixedArray> FastKeyAccumulator::GetKeysWithPrototypeInfoCache(
MaybeHandle<FixedArray>());
prototype_chain_keys = accumulator.GetKeys(keys_conversion);
}
return CombineKeys(isolate_, own_keys, prototype_chain_keys, receiver_,
may_have_elements_);
Handle<FixedArray> result = CombineKeys(
isolate_, own_keys, prototype_chain_keys, receiver_, may_have_elements_);
if (is_for_in_ && own_keys.is_identical_to(result)) {
// Don't leak the enumeration cache without the receiver since it might get
// trimmed otherwise.
return isolate_->factory()->CopyFixedArrayUpTo(result, result->length());
}
return result;
}
bool FastKeyAccumulator::MayHaveElements(JSReceiver receiver) {
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
var __v_6 = new Boolean();
__v_6.first = 0;
__v_6.prop = 1;
for (var __v_2 in __v_6) {
delete __v_6.prop;
gc();
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment