Ensure we don't overwrite transitions in SetPropertyIgnoreAttributes.

BUG=326155 LOG=y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/134733011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18754 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Ensure we don't overwrite transitions in SetPropertyIgnoreAttributes.
BUG=326155 LOG=y R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/134733011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18754 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
c478b6dc · verwaest@chromium.org · 9ba4b74e · c478b6dc · c478b6dc · c478b6dc
Commit c478b6dc authored Jan 22, 2014 by verwaest@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 1 deletion

objects-inl.h src/objects-inl.h +11 -0

objects.cc src/objects.cc +4 -1

test-api.cc test/cctest/test-api.cc +15 -0

No files found.
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4780,6 +4780,17 @@ void Map::set_transitions(TransitionArray* transition_array,
  // When there is another reference to the array somewhere (e.g. a handle),
  // not zapping turns from a waste of memory into a source of crashes.
  if (HasTransitionArray()) {
+#ifdef DEBUG
+    for (int i = 0; i < transitions()->number_of_transitions(); i++) {
+      Map* target = transitions()->GetTarget(i);
+      if (target->instance_descriptors() == instance_descriptors()) {
+        Name* key = transitions()->GetKey(i);
+        int new_target_index = transition_array->Search(key);
+        ASSERT(new_target_index != TransitionArray::kNotFound);
+        ASSERT(transition_array->GetTarget(new_target_index) == target);
+      }
+    }
+#endif
    ASSERT(transitions() != transition_array);
    ZapTransitions();
  }

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4218,9 +4218,12 @@ Handle<Object> JSObject::SetLocalPropertyIgnoreAttributes(

  // Check for accessor in prototype chain removed here in clone.
  if (!lookup.IsFound()) {
+    object->map()->LookupTransition(*object, *name, &lookup);
+    TransitionFlag flag = lookup.IsFound()
+        ? OMIT_TRANSITION : INSERT_TRANSITION;
    // Neither properties nor transitions found.
    return AddProperty(object, name, value, attributes, kNonStrictMode,
-        MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode);
+        MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode, flag);
  }

  Handle<Object> old_value = isolate->factory()->the_hole_value();

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -1999,6 +1999,21 @@ THREADED_TEST(EmptyInterceptorDoesNotShadowAccessors) {
 }


+THREADED_TEST(EmptyInterceptorBreakTransitions) {
+  v8::HandleScope scope(CcTest::isolate());
+  Handle<FunctionTemplate> templ = FunctionTemplate::New(CcTest::isolate());
+  AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
+  LocalContext env;
+  env->Global()->Set(v8_str("Constructor"), templ->GetFunction());
+  CompileRun("var o1 = new Constructor;"
+             "o1.a = 1;"  // Ensure a and x share the descriptor array.
+             "Object.defineProperty(o1, 'x', {value: 10});");
+  CompileRun("var o2 = new Constructor;"
+             "o2.a = 1;"
+             "Object.defineProperty(o2, 'x', {value: 10});");
+}
+
+
 THREADED_TEST(EmptyInterceptorDoesNotShadowJSAccessors) {
  v8::Isolate* isolate = CcTest::isolate();
  v8::HandleScope scope(isolate);