%ObjectFreeze needs to exclude non-fast-path objects.

ClusterFuzz will call it with sloppy arguments and similar cases. BUG=380049 LOG=N R=yangguo@chromium.org Review URL: https://codereview.chromium.org/315533002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21624 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

%ObjectFreeze needs to exclude non-fast-path objects.
ClusterFuzz will call it with sloppy arguments and similar cases. BUG=380049 LOG=N R=yangguo@chromium.org Review URL: https://codereview.chromium.org/315533002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21624 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
848a9af6 · mvstanton@chromium.org · b8c3ee40 · 848a9af6 · 848a9af6
Commit 848a9af6 authored Jun 03, 2014 by mvstanton@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 0 deletions

runtime.cc src/runtime.cc +6 -0

regress-380049.js test/mjsunit/regress/regress-380049.js +9 -0

No files found.
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3266,6 +3266,12 @@ RUNTIME_FUNCTION(Runtime_ObjectFreeze) {
  HandleScope scope(isolate);
  ASSERT(args.length() == 1);
  CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
+
+  // %ObjectFreeze is a fast path and these cases are handled elsewhere.
+  RUNTIME_ASSERT(!object->HasSloppyArgumentsElements() &&
+                 !object->map()->is_observed() &&
+                 !object->IsJSProxy());
+
  Handle<Object> result;
  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, JSObject::Freeze(object));
  return *result;

--- a/test/mjsunit/regress/regress-380049.js
+++ b/test/mjsunit/regress/regress-380049.js
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a,b,c) { return arguments; }
+var f = foo(false, null, 40);
+assertThrows(function() { %ObjectFreeze(f); });