[runtime] Update transitioning target when deserializing values

Bug: chromium:1359936 Change-Id: If5b09647dbb341b056a782ae6d1733351c8061bb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870487 Auto-Submit: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#82977}

[runtime] Update transitioning target when deserializing values
Bug: chromium:1359936 Change-Id: If5b09647dbb341b056a782ae6d1733351c8061bb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870487 Auto-Submit: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#82977}
633cc57f · Igor Sheludko · V8 LUCI CQ · fb41a136 · 633cc57f
Commit 633cc57f authored Sep 05, 2022 by Igor Sheludko Committed by V8 LUCI CQ Sep 05, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

value-serializer.cc src/objects/value-serializer.cc +4 -0

No files found.
--- a/src/objects/value-serializer.cc
+++ b/src/objects/value-serializer.cc
@@ -2392,6 +2392,10 @@ Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties(
      // (though generalization may be required), store the property value so
      // that we can copy them all at once. Otherwise, stop transitioning.
      if (transitioning) {
+        // Deserializaton of |value| might have deprecated current |target|,
+        // ensure we are working with the up-to-date version.
+        target = Map::Update(isolate_, target);
+
        InternalIndex descriptor(properties.size());
        PropertyDetails details =
            target->instance_descriptors(isolate_).GetDetails(descriptor);