Skip to content

V
V8
Commit 8361fa58 authored by Camillo Bruni's avatar Camillo Bruni Committed by Commit Bot
Browse files
Options

[runtime] Fix derived class instantiation 

Bug: chromium:806388
Change-Id: Ieb343f0d532c16b6102e85222b77713f23bacf8c
Reviewed-on: https://chromium-review.googlesource.com/894942Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50990}
parent 4ca5a577
Hide whitespace changes
Inline Side-by-side
Showing with 41 additions and 8 deletions
src/objects.cc
View file @ 8361fa58
...@@ -13018,14 +13018,19 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate, ...@@ -13018,14 +13018,19 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
constructor_initial_map->UnusedPropertyFields(); constructor_initial_map->UnusedPropertyFields();
int instance_size; int instance_size;
int in_object_properties; int in_object_properties;
CalculateInstanceSizeForDerivedClass(function, instance_type, bool success = CalculateInstanceSizeForDerivedClass(
embedder_fields, &instance_size, function, instance_type, embedder_fields, &instance_size,
&in_object_properties); &in_object_properties);
int unused_property_fields = in_object_properties - pre_allocated; int unused_property_fields = in_object_properties - pre_allocated;
Handle<Map> map =
Map::CopyInitialMap(constructor_initial_map, instance_size, Handle<Map> map;
in_object_properties, unused_property_fields); if (success) {
map = Map::CopyInitialMap(constructor_initial_map, instance_size,
in_object_properties, unused_property_fields);
} else {
map = Map::CopyInitialMap(constructor_initial_map);
}
map->set_new_target_is_base(false); map->set_new_target_is_base(false);
JSFunction::SetInitialMap(function, map, prototype); JSFunction::SetInitialMap(function, map, prototype);
...@@ -13781,12 +13786,14 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type, ...@@ -13781,12 +13786,14 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
requested_embedder_fields; requested_embedder_fields;
} }
void JSFunction::CalculateInstanceSizeForDerivedClass( // static
bool JSFunction::CalculateInstanceSizeForDerivedClass(
Handle<JSFunction> function, InstanceType instance_type, Handle<JSFunction> function, InstanceType instance_type,
int requested_embedder_fields, int* instance_size, int requested_embedder_fields, int* instance_size,
int* in_object_properties) { int* in_object_properties) {
Isolate* isolate = function->GetIsolate(); Isolate* isolate = function->GetIsolate();
int expected_nof_properties = 0; int expected_nof_properties = 0;
bool result = true;
for (PrototypeIterator iter(isolate, function, kStartAtReceiver); for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
!iter.IsAtEnd(); iter.Advance()) { !iter.IsAtEnd(); iter.Advance()) {
Handle<JSReceiver> current = Handle<JSReceiver> current =
...@@ -13800,6 +13807,11 @@ void JSFunction::CalculateInstanceSizeForDerivedClass( ...@@ -13800,6 +13807,11 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) { Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
DCHECK(shared->is_compiled()); DCHECK(shared->is_compiled());
expected_nof_properties += shared->expected_nof_properties(); expected_nof_properties += shared->expected_nof_properties();
} else if (!shared->is_compiled()) {
// In case there was a compilation error for the constructor we will
// throw an error during instantiation. Hence we directly return 0;
result = false;
break;
} }
if (!IsDerivedConstructor(shared->kind())) { if (!IsDerivedConstructor(shared->kind())) {
break; break;
...@@ -13808,6 +13820,7 @@ void JSFunction::CalculateInstanceSizeForDerivedClass( ...@@ -13808,6 +13820,7 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields, CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields,
expected_nof_properties, instance_size, expected_nof_properties, instance_size,
in_object_properties); in_object_properties);
return result;
} }
......
src/objects.h
View file @ 8361fa58
...@@ -3680,7 +3680,7 @@ class JSFunction: public JSObject { ...@@ -3680,7 +3680,7 @@ class JSFunction: public JSObject {
DECL_CAST(JSFunction) DECL_CAST(JSFunction)
// Calculate the instance size and in-object properties count. // Calculate the instance size and in-object properties count.
static void CalculateInstanceSizeForDerivedClass( static bool CalculateInstanceSizeForDerivedClass(
Handle<JSFunction> function, InstanceType instance_type, Handle<JSFunction> function, InstanceType instance_type,
int requested_embedder_fields, int* instance_size, int requested_embedder_fields, int* instance_size,
int* in_object_properties); int* in_object_properties);
......
test/mjsunit/regress/regress-crbug-806388.js 0 → 100644
View file @ 8361fa58
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --enable-slow-asserts --expose-gc
class Derived extends Array {
constructor(a) {
// Syntax Error.
const a = 1;
}
}
// Derived is not a subclass of RegExp
let o = Reflect.construct(RegExp, [], Derived);
o.lastIndex = 0x1234;
%HeapObjectVerify(o);
gc();
%HeapObjectVerify(o);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment