Commit e003d21d authored by Igor Sheludko's avatar Igor Sheludko Committed by Commit Bot

[runtime] Properly handle null constructor case when feeding back normalization.

BUG=chromium:697017

Change-Id: Ibb7165387a983987dcd04be330591b6bb70ff991
Reviewed-on: https://chromium-review.googlesource.com/448217
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43507}
parent 78d9d5b5
...@@ -9230,10 +9230,12 @@ Handle<Map> Map::TransitionToDataProperty(Handle<Map> map, Handle<Name> name, ...@@ -9230,10 +9230,12 @@ Handle<Map> Map::TransitionToDataProperty(Handle<Map> map, Handle<Name> name,
reason = buffer->start(); reason = buffer->start();
} }
#endif #endif
Handle<Map> result; Handle<Object> maybe_constructor(map->GetConstructor(), isolate);
Handle<JSFunction> constructor(JSFunction::cast(map->GetConstructor()));
if (FLAG_feedback_normalization && map->new_target_is_base() && if (FLAG_feedback_normalization && map->new_target_is_base() &&
!constructor->shared()->native()) { maybe_constructor->IsJSFunction() &&
!JSFunction::cast(*maybe_constructor)->shared()->native()) {
Handle<JSFunction> constructor =
Handle<JSFunction>::cast(maybe_constructor);
DCHECK_NE(*constructor, DCHECK_NE(*constructor,
constructor->context()->native_context()->object_function()); constructor->context()->native_context()->object_function());
Handle<Map> initial_map(constructor->initial_map(), isolate); Handle<Map> initial_map(constructor->initial_map(), isolate);
...@@ -9252,7 +9254,6 @@ Handle<Map> Map::TransitionToDataProperty(Handle<Map> map, Handle<Name> name, ...@@ -9252,7 +9254,6 @@ Handle<Map> Map::TransitionToDataProperty(Handle<Map> map, Handle<Name> name,
} else { } else {
result = Map::Normalize(map, CLEAR_INOBJECT_PROPERTIES, reason); result = Map::Normalize(map, CLEAR_INOBJECT_PROPERTIES, reason);
} }
return result;
} }
return result; return result;
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
for (var i = 0; i < 100; i++) {
print(i);
(Int32Array)["abc" + i] = i;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment