[runtime] Don't crash when creating an instance of a class inherited from a Proxy.

BUG=v8:4972 LOG=N Review-Url: https://codereview.chromium.org/1925803005 Cr-Commit-Position: refs/heads/master@{#35911}

[runtime] Don't crash when creating an instance of a class inherited from a Proxy.
BUG=v8:4972 LOG=N Review-Url: https://codereview.chromium.org/1925803005 Cr-Commit-Position: refs/heads/master@{#35911}
b83edcc8 · ishell · Commit bot · 45f52fcb · b83edcc8 · b83edcc8
Commit b83edcc8 authored Apr 29, 2016 by ishell Committed by Commit bot Apr 29, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

objects.cc src/objects.cc +3 -1

regress-v8-4972.js test/mjsunit/regress/regress-v8-4972.js +5 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -13164,7 +13164,9 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
  for (PrototypeIterator iter(isolate, this,
                              PrototypeIterator::START_AT_RECEIVER);
       !iter.IsAtEnd(); iter.Advance()) {
-    JSFunction* func = iter.GetCurrent<JSFunction>();
+    JSReceiver* current = iter.GetCurrent<JSReceiver>();
+    if (!current->IsJSFunction()) break;
+    JSFunction* func = JSFunction::cast(current);
    SharedFunctionInfo* shared = func->shared();
    expected_nof_properties += shared->expected_nof_properties();
    if (!IsSubclassConstructor(shared->kind())) {

--- a/test/mjsunit/regress/regress-v8-4972.js
+++ b/test/mjsunit/regress/regress-v8-4972.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+new class extends new Proxy(class {},{}) {}