[runtime] Fix miscalculated number of properties for derived class

... when an error occurs during super constructor compilation. Bug: chromium:1072947 Change-Id: I8acf461de1f3c141e45d3b61b3ac2f5c990e106a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172964Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#67505}

[runtime] Fix miscalculated number of properties for derived class
... when an error occurs during super constructor compilation. Bug: chromium:1072947 Change-Id: I8acf461de1f3c141e45d3b61b3ac2f5c990e106a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172964Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#67505}
a4cf3321 · Igor Sheludko · Commit Bot · 31ce84b2 · a4cf3321 · a4cf3321
Commit a4cf3321 authored Apr 30, 2020 by Igor Sheludko Committed by Commit Bot Apr 30, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 4 deletions

js-objects.cc src/objects/js-objects.cc +12 -4

regress-crbug-1072947.js test/mjsunit/regress/regress-crbug-1072947.js +31 -0

No files found.
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -5327,8 +5327,15 @@ bool FastInitializeDerivedMap(Isolate* isolate, Handle<JSFunction> new_target,
  int in_object_properties;
  int embedder_fields =
      JSObject::GetEmbedderFieldCount(*constructor_initial_map);
+  // Constructor expects certain number of in-object properties to be in the
+  // object. However, CalculateExpectedNofProperties() may return smaller value
+  // if 1) the constructor is not in the prototype chain of new_target, or
+  // 2) the prototype chain is modified during iteration, or 3) compilation
+  // failure occur during prototype chain iteration.
+  // So we take the maximum of two values.
  int expected_nof_properties =
-      JSFunction::CalculateExpectedNofProperties(isolate, new_target);
+      Max(static_cast<int>(constructor->shared().expected_nof_properties()),
+          JSFunction::CalculateExpectedNofProperties(isolate, new_target));
  JSFunction::CalculateInstanceSizeHelper(
      instance_type, true, embedder_fields, expected_nof_properties,
      &instance_size, &in_object_properties);
@@ -5576,9 +5583,10 @@ int JSFunction::CalculateExpectedNofProperties(Isolate* isolate,
        return JSObject::kMaxInObjectProperties;
      }
    } else {
-      // In case there was a compilation error for the constructor we will
-      // throw an error during instantiation.
-      break;
+      // In case there was a compilation error proceed iterating in case there
+      // will be a builtin function in the prototype chain that requires
+      // certain number of in-object properties.
+      continue;
    }
  }
  // Inobject slack tracking will reclaim redundant inobject space

--- a/test/mjsunit/regress/regress-crbug-1072947.js
+++ b/test/mjsunit/regress/regress-crbug-1072947.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function() {
+  class reg extends RegExp {}
+
+  let r;
+  function trigger() {
+    try {
+      trigger();
+    } catch {
+      Reflect.construct(RegExp,[],reg);
+    }
+  }
+  trigger();
+})();
+
+(function() {
+  class reg extends Function {}
+
+  let r;
+  function trigger() {
+    try {
+      trigger();
+    } catch {
+      Reflect.construct(RegExp,[],reg);
+    }
+  }
+  trigger();
+})();