[runtime] Fix protector invalidation

Protectors trigger when special properties are modified or masked. Previously we would check whether the property stored on the holder would invalidate the protector. Stores to to the receiver rather than the holder, however, so this CL changes holder for receiver, and adds additional checks that were missing. Bug: v8:9466 Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#62805}

[runtime] Fix protector invalidation
Protectors trigger when special properties are modified or masked. Previously we would check whether the property stored on the holder would invalidate the protector. Stores to to the receiver rather than the holder, however, so this CL changes holder for receiver, and adds additional checks that were missing. Bug: v8:9466 Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#62805}
e55e0aa5 · Toon Verwaest · Commit Bot · 777d5084 · e55e0aa5 · e55e0aa5
Commit e55e0aa5 authored Jul 18, 2019 by Toon Verwaest Committed by Commit Bot Jul 18, 2019
6 changed files
--- a/src/objects/lookup.cc
+++ b/src/objects/lookup.cc
--- a/test/mjsunit/es6/map-iterator-8.js
+++ b/test/mjsunit/es6/map-iterator-8.js
@@ -25,7 +25,7 @@ assertEquals([], [...map.keys()]);
 assertEquals([], [...map.values()]);
 assertEquals([], [...iterator]);

-assertFalse(%SetIteratorProtector());
+assertTrue(%SetIteratorProtector());
 assertEquals([1,2,3], [...set]);
 assertEquals([[1,1],[2,2],[3,3]], [...set.entries()]);
 assertEquals([1,2,3], [...set.keys()]);

--- a/test/mjsunit/es6/map-iterator-9.js
+++ b/test/mjsunit/es6/map-iterator-9.js
@@ -23,7 +23,7 @@ assertEquals([1,2,3], [...map.keys()]);
 assertEquals([2,3,4], [...map.values()]);
 assertEquals([], [...iterator]);

-assertFalse(%SetIteratorProtector());
+assertTrue(%SetIteratorProtector());
 assertEquals([1,2,3], [...set]);
 assertEquals([[1,1],[2,2],[3,3]], [...set.entries()]);
 assertEquals([1,2,3], [...set.keys()]);

--- a/test/mjsunit/es6/set-iterator-8.js
+++ b/test/mjsunit/es6/set-iterator-8.js
@@ -18,7 +18,7 @@ assertTrue(%SetIteratorProtector());
 var iterator = set.keys();
 iterator.__proto__[Symbol.iterator] = () => ({next: () => ({done: true})});

-assertFalse(%MapIteratorProtector());
+assertTrue(%MapIteratorProtector());
 assertEquals([[1,2], [2,3], [3,4]], [...map]);
 assertEquals([[1,2], [2,3], [3,4]], [...map.entries()]);
 assertEquals([1,2,3], [...map.keys()]);

--- a/test/mjsunit/es6/set-iterator-9.js
+++ b/test/mjsunit/es6/set-iterator-9.js
@@ -17,7 +17,7 @@ assertTrue(%SetIteratorProtector());
 var iterator = set.keys();
 iterator[Symbol.iterator] = () => ({next: () => ({done: true})});

-assertFalse(%MapIteratorProtector());
+assertTrue(%MapIteratorProtector());
 assertEquals([[1,2], [2,3], [3,4]], [...map]);
 assertEquals([[1,2], [2,3], [3,4]], [...map.entries()]);
 assertEquals([1,2,3], [...map.keys()]);

--- a/test/mjsunit/regress/regress-9466.js
+++ b/test/mjsunit/regress/regress-9466.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const o = [];
+o.__proto__ = {};
+o.constructor = function() {};
+o.constructor[Symbol.species] = function f() {};
+o.__proto__ = Array.prototype;
+assertEquals(o.constructor[Symbol.species], o.concat([1,2,3]).constructor);