[CloneObjectIC] Avoid FieldType confusions

Do not propagate FieldTypes for kField properties. Bug: chromium:881247 Change-Id: Ia6af451cd6f3ba22a9ced1f3b43fc4cfc8f7084e Reviewed-on: https://chromium-review.googlesource.com/c/1288637 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#56813}

[CloneObjectIC] Avoid FieldType confusions
Do not propagate FieldTypes for kField properties. Bug: chromium:881247 Change-Id: Ia6af451cd6f3ba22a9ced1f3b43fc4cfc8f7084e Reviewed-on: https://chromium-review.googlesource.com/c/1288637 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#56813}
78e57631 · Camillo Bruni · Commit Bot · 9c001573 · 78e57631 · 78e57631
Commit 78e57631 authored Oct 18, 2018 by Camillo Bruni Committed by Commit Bot Oct 19, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 3 deletions

objects.cc src/objects.cc +10 -3

regress-crbug-881247.js test/mjsunit/regress/regress-crbug-881247.js +24 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -10180,15 +10180,22 @@ Handle<DescriptorArray> DescriptorArray::CopyForFastObjectClone(
    Name* key = src->GetKey(i);
    PropertyDetails details = src->GetDetails(i);
-    SLOW_DCHECK(!key->IsPrivateField() && details.IsEnumerable() &&
+    DCHECK(!key->IsPrivateField());
-                details.kind() == kData);
+    DCHECK(details.IsEnumerable());
+    DCHECK_EQ(details.kind(), kData);
    // Ensure the ObjectClone property details are NONE, and that all source
    // details did not contain DONT_ENUM.
    PropertyDetails new_details(kData, NONE, details.location(),
                                details.constness(), details.representation(),
                                details.field_index());
-    descriptors->Set(i, key, src->GetValue(i), new_details);
+    // Do not propagate the field type of normal object fields from the
+    // original descriptors since FieldType changes don't create new maps.
+    MaybeObject* type = src->GetValue(i);
+    if (details.location() == PropertyLocation::kField) {
+      type = MaybeObject::FromObject(FieldType::Any());
+    }
+    descriptors->Set(i, key, type, new_details);
  }
  descriptors->Sort();

--- a/test/mjsunit/regress/regress-crbug-881247.js
+++ b/test/mjsunit/regress/regress-crbug-881247.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --allow-natives-syntax
+const resolvedPromise = Promise.resolve();
+function spread() {
+  const result = { ...resolvedPromise };
+  %HeapObjectVerify(result);
+  return result;
+}
+resolvedPromise[undefined] =  {a:1};
+%HeapObjectVerify(resolvedPromise);
+spread();
+resolvedPromise[undefined] = undefined;
+%HeapObjectVerify(resolvedPromise);
+spread();
+%HeapObjectVerify(resolvedPromise);