Commit e395871f authored by Georg Neis's avatar Georg Neis Committed by Commit Bot

[runtime] Don't invalidate property cell when it becomes read-only

The compiler assumes (for loads) that the property cell of a
non-configurable global property never gets invalidated.

Bug: chromium:1044919
Change-Id: I27f6ce30fb9a21e2c1e5310f25e9bb973ebbc266
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023562Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66021}
parent 2d10033f
...@@ -7859,6 +7859,7 @@ Handle<PropertyCell> PropertyCell::InvalidateEntry( ...@@ -7859,6 +7859,7 @@ Handle<PropertyCell> PropertyCell::InvalidateEntry(
bool is_the_hole = cell->value().IsTheHole(isolate); bool is_the_hole = cell->value().IsTheHole(isolate);
// Cell is officially mutable henceforth. // Cell is officially mutable henceforth.
PropertyDetails details = cell->property_details(); PropertyDetails details = cell->property_details();
DCHECK(details.IsConfigurable());
details = details.set_cell_type(is_the_hole ? PropertyCellType::kUninitialized details = details.set_cell_type(is_the_hole ? PropertyCellType::kUninitialized
: PropertyCellType::kMutable); : PropertyCellType::kMutable);
new_cell->set_property_details(details); new_cell->set_property_details(details);
...@@ -7936,8 +7937,7 @@ Handle<PropertyCell> PropertyCell::PrepareForValue( ...@@ -7936,8 +7937,7 @@ Handle<PropertyCell> PropertyCell::PrepareForValue(
const PropertyDetails original_details = cell->property_details(); const PropertyDetails original_details = cell->property_details();
// Data accesses could be cached in ics or optimized code. // Data accesses could be cached in ics or optimized code.
bool invalidate = bool invalidate =
(original_details.kind() == kData && details.kind() == kAccessor) || original_details.kind() == kData && details.kind() == kAccessor;
(!original_details.IsReadOnly() && details.IsReadOnly());
int index; int index;
PropertyCellType old_type = original_details.cell_type(); PropertyCellType old_type = original_details.cell_type();
// Preserve the enumeration index unless the property was deleted or never // Preserve the enumeration index unless the property was deleted or never
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function main() {
eval();
function foo() {
bla = [];
bla.__proto__ = '';
}
%PrepareFunctionForOptimization(foo);
foo();
Object.defineProperty(this, 'bla',
{value: bla, configurable: false, writable: true});
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Object.defineProperty(this, 'bla',
{value: bla, configurable: false, writable: false});
foo();
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment