[runtime] Properly forward the "interesting symbol" bit.

This fixes a corner case of rewriting the transition trees, where the "interesting symbols" bit was not properly forwarded. Drive-by-fix: Introduce additional checking in Map::ConnectTransition to make it easier for clusterfuzz to detect cases we might have missed. R=mstarzinger@chromium.org Bug: chromium:751109 Change-Id: I3f1a1e6232db9b3694064b3d4e9f37255b018acc Reviewed-on: https://chromium-review.googlesource.com/597669Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47075}

[runtime] Properly forward the "interesting symbol" bit.
This fixes a corner case of rewriting the transition trees, where the "interesting symbols" bit was not properly forwarded. Drive-by-fix: Introduce additional checking in Map::ConnectTransition to make it easier for clusterfuzz to detect cases we might have missed. R=mstarzinger@chromium.org Bug: chromium:751109 Change-Id: I3f1a1e6232db9b3694064b3d4e9f37255b018acc Reviewed-on: https://chromium-review.googlesource.com/597669Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47075}
71012480 · Benedikt Meurer · Commit Bot · 47a15c62 · 71012480 · 71012480
Commit 71012480 authored Aug 02, 2017 by Benedikt Meurer Committed by Commit Bot Aug 02, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

objects.cc src/objects.cc +5 -1

regress-crbug-751109.js test/mjsunit/regress/regress-crbug-751109.js +7 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -9064,6 +9064,10 @@ void Map::TraceAllTransitions(Map* map) {
 void Map::ConnectTransition(Handle<Map> parent, Handle<Map> child,
                            Handle<Name> name, SimpleTransitionFlag flag) {
  Isolate* isolate = parent->GetIsolate();
+  DCHECK_IMPLIES(name->IsInterestingSymbol(),
+                 child->may_have_interesting_symbols());
+  DCHECK_IMPLIES(parent->may_have_interesting_symbols(),
+                 child->may_have_interesting_symbols());
  // Do not track transitions during bootstrap except for element transitions.
  if (isolate->bootstrapper()->IsActive() &&
      !name.is_identical_to(isolate->factory()->elements_transition_symbol())) {
@@ -9216,7 +9220,7 @@ void Map::InstallDescriptors(Handle<Map> parent, Handle<Map> child,
  }

  Handle<Name> name = handle(descriptors->GetKey(new_descriptor));
-  if (name->IsInterestingSymbol()) {
+  if (parent->may_have_interesting_symbols() || name->IsInterestingSymbol()) {
    child->set_may_have_interesting_symbols(true);
  }
  ConnectTransition(parent, child, name, SIMPLE_PROPERTY_TRANSITION);

--- a/test/mjsunit/regress/regress-crbug-751109.js
+++ b/test/mjsunit/regress/regress-crbug-751109.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --verify-heap
+
+(new constructor)[0] = null;