Commit da83b618 authored by Camillo Bruni's avatar Camillo Bruni Committed by Commit Bot

[runtime] Fix overzealous check for derived constructor instance size

Bug: chromium:813427
Change-Id: Ie0b096b20f335648e7920c5ebe4ff0fa3b5ab9d5
Reviewed-on: https://chromium-review.googlesource.com/926003Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51393}
parent 18344ef4
...@@ -13075,7 +13075,7 @@ bool FastInitializeDerivedMap(Isolate* isolate, Handle<JSFunction> new_target, ...@@ -13075,7 +13075,7 @@ bool FastInitializeDerivedMap(Isolate* isolate, Handle<JSFunction> new_target,
if (success) { if (success) {
int pre_allocated = constructor_initial_map->GetInObjectProperties() - int pre_allocated = constructor_initial_map->GetInObjectProperties() -
constructor_initial_map->UnusedPropertyFields(); constructor_initial_map->UnusedPropertyFields();
CHECK_LE(constructor_initial_map->instance_size(), instance_size); CHECK_LE(constructor_initial_map->UsedInstanceSize(), instance_size);
int unused_property_fields = in_object_properties - pre_allocated; int unused_property_fields = in_object_properties - pre_allocated;
map = Map::CopyInitialMap(constructor_initial_map, instance_size, map = Map::CopyInitialMap(constructor_initial_map, instance_size,
in_object_properties, unused_property_fields); in_object_properties, unused_property_fields);
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Create {count} property assignments.
function createPropertiesAssignment(count) {
let result = "";
for (let i = 0; i < count; i++) {
result += "this.p"+i+" = undefined;";
}
return result;
}
function testSubclassProtoProperties(count) {
const MyClass = eval(`(class MyClass {
constructor() {
${createPropertiesAssignment(count)}
}
});`);
class BaseClass {};
class SubClass extends BaseClass {
constructor() {
super()
}
};
const boundMyClass = MyClass.bind();
%HeapObjectVerify(boundMyClass);
SubClass.__proto__ = boundMyClass;
var instance = new SubClass();
%HeapObjectVerify(instance);
// Create some more instances to complete in-object slack tracking.
let results = [];
for (let i = 0; i < 4000; i++) {
results.push(new SubClass());
}
var instance = new SubClass();
%HeapObjectVerify(instance);
}
for (let count = 0; count < 10; count++) {
testSubclassProtoProperties(count);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment