Mark proxy map as unstable during proxy fixing (freezing, sealing or preventing extensions).

BUG=chromium:493568 LOG=N Review URL: https://codereview.chromium.org/1158023003 Cr-Commit-Position: refs/heads/master@{#28759}

Mark proxy map as unstable during proxy fixing (freezing, sealing or preventing extensions).
BUG=chromium:493568 LOG=N Review URL: https://codereview.chromium.org/1158023003 Cr-Commit-Position: refs/heads/master@{#28759}
65ada9fa · ishell · Commit bot · abaec424 · 65ada9fa · 65ada9fa
Commit 65ada9fa authored Jun 02, 2015 by ishell Committed by Commit bot Jun 02, 2015
Showing with 38 additions and 7 deletions

factory.cc src/factory.cc +3 -7

objects.cc src/objects.cc +19 -0

objects.h src/objects.h +4 -0

regress-crbug-493568.js test/mjsunit/regress/regress-crbug-493568.js +12 -0

No files found.
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -2019,17 +2019,13 @@ void Factory::ReinitializeJSProxy(Handle<JSProxy> proxy, InstanceType type,
                                  int size) {
  DCHECK(type == JS_OBJECT_TYPE || type == JS_FUNCTION_TYPE);

-  // Allocate fresh map.
-  // TODO(rossberg): Once we optimize proxies, cache these maps.
-  Handle<Map> map = NewMap(type, size);
+  Handle<Map> proxy_map(proxy->map());
+  Handle<Map> map = Map::FixProxy(proxy_map, type, size);

  // Check that the receiver has at least the size of the fresh object.
-  int size_difference = proxy->map()->instance_size() - map->instance_size();
+  int size_difference = proxy_map->instance_size() - map->instance_size();
  DCHECK(size_difference >= 0);

-  Handle<Object> prototype(proxy->map()->prototype(), isolate());
-  Map::SetPrototype(map, prototype);
-
  // Allocate the backing storage for the properties.
  int prop_size = map->InitialPropertiesLength();
  Handle<FixedArray> properties = NewFixedArray(prop_size, TENURED);

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -7200,6 +7200,25 @@ Handle<Map> Map::CopyForPreventExtensions(Handle<Map> map,
 }


+Handle<Map> Map::FixProxy(Handle<Map> map, InstanceType type, int size) {
+  DCHECK(type == JS_OBJECT_TYPE || type == JS_FUNCTION_TYPE);
+  DCHECK(map->IsJSProxyMap());
+
+  Isolate* isolate = map->GetIsolate();
+
+  // Allocate fresh map.
+  // TODO(rossberg): Once we optimize proxies, cache these maps.
+  Handle<Map> new_map = isolate->factory()->NewMap(type, size);
+
+  Handle<Object> prototype(map->prototype(), isolate);
+  Map::SetPrototype(new_map, prototype);
+
+  map->NotifyLeafMapLayoutChange();
+
+  return new_map;
+}
+
+
 bool DescriptorArray::CanHoldValue(int descriptor, Object* value) {
  PropertyDetails details = GetDetails(descriptor);
  switch (details.type()) {

--- a/src/objects.h
+++ b/src/objects.h
@@ -6295,6 +6295,10 @@ class Map: public HeapObject {
                                              PropertyAttributes attrs_to_add,
                                              Handle<Symbol> transition_marker,
                                              const char* reason);
+
+  static Handle<Map> FixProxy(Handle<Map> map, InstanceType type, int size);
+
+
  // Maximal number of fast properties. Used to restrict the number of map
  // transitions to avoid an explosion in the number of maps for objects used as
  // dictionaries.

--- a/test/mjsunit/regress/regress-crbug-493568.js
+++ b/test/mjsunit/regress/regress-crbug-493568.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --harmony-proxies
+
+var p = Proxy.create({ fix: function() { return {}; } });
+
+var obj = {};
+obj.x = p;
+
+Object.preventExtensions(p);