[runtime] Make sure we don't inplace update None to Double

This was already unsupported by the map updated because the condition was manually checked before CanBeInPlaceChangedTo. Since the latter function missed the check, however, new code using the function (json parser) missed the relevant check. Simply move the condition to the function. Bug: chromium:964869 Change-Id: I9424a5706c5f6d637acbf532707da3f1e7d9b55e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1622114 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#61703}

[runtime] Make sure we don't inplace update None to Double
This was already unsupported by the map updated because the condition was manually checked before CanBeInPlaceChangedTo. Since the latter function missed the check, however, new code using the function (json parser) missed the relevant check. Simply move the condition to the function. Bug: chromium:964869 Change-Id: I9424a5706c5f6d637acbf532707da3f1e7d9b55e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1622114 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#61703}
cdd3c7cb · Toon Verwaest · Commit Bot · b126a9df · cdd3c7cb · cdd3c7cb
Commit cdd3c7cb authored May 21, 2019 by Toon Verwaest Committed by Commit Bot May 21, 2019
Showing with 12 additions and 9 deletions

map-updater.cc src/objects/map-updater.cc +1 -8

property-details.h src/objects/property-details.h +6 -1

regress-crbug-964869.js test/mjsunit/regress/regress-crbug-964869.js +5 -0

No files found.
--- a/src/objects/map-updater.cc
+++ b/src/objects/map-updater.cc
@@ -214,14 +214,7 @@ MapUpdater::State MapUpdater::TryReconfigureToDataFieldInplace() {
  // Updating deprecated maps in-place doesn't make sense.
  if (old_map_->is_deprecated()) return state_;

-  // If it's just a representation generalization case (i.e. property kind and
-  // attributes stays unchanged) it's fine to transition from None to anything
-  // but double without any modification to the object, because the default
-  // uninitialized value for representation None can be overwritten by both
-  // smi and tagged values. Doubles, however, would require a box allocation.
-  if (new_representation_.IsNone() || new_representation_.IsDouble()) {
-    return state_;  // Not done yet.
-  }
+  if (new_representation_.IsNone()) return state_;  // Not done yet.

  PropertyDetails old_details =
      old_descriptors_->GetDetails(modified_descriptor_);

--- a/src/objects/property-details.h
+++ b/src/objects/property-details.h
@@ -105,7 +105,12 @@ class Representation {
  }

  bool CanBeInPlaceChangedTo(const Representation& other) const {
-    if (IsNone()) return true;
+    // If it's just a representation generalization case (i.e. property kind and
+    // attributes stays unchanged) it's fine to transition from None to anything
+    // but double without any modification to the object, because the default
+    // uninitialized value for representation None can be overwritten by both
+    // smi and tagged values. Doubles, however, would require a box allocation.
+    if (IsNone()) return !other.IsDouble();
    if (!FLAG_modify_field_representation_inplace) return false;
    return (IsSmi() || IsHeapObject()) && other.IsTagged();
  }

--- a/test/mjsunit/regress/regress-crbug-964869.js
+++ b/test/mjsunit/regress/regress-crbug-964869.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const o = {x: JSON.parse('{"x":1.1}').x};