1. 25 Jul, 2018 1 commit
    • Caitlin Potter's avatar
      [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject · d6efcbf0
      Caitlin Potter authored
      Includes fixes for several ClusterFuzz regressions:
      
      1) fix an invalid Handle-cast in ic.cc (chromium:866282)
      
      2) fix for improper accounting of used/unused inobject
      fields, found by clusterfuzz (chromium:866357).
      
      3) fix number of control outputs for the JSCloneObject
      operator to be used by IfSuccess and IfException nodes (chromium:866727).
      
      4) fix property constness in out-of-object properties of fast-cloned
      object to be compatible with DCHECKs in StoreIC (chromium:866861).
      
      Also includes the fixups missing from the initial commit, and
      regression tests
      
      BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861
      R=jkummerow@chromium.org, mvstanton@chromium.org
      TBR=rmcilroy@chromium.org
      
      Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
      Reviewed-on: https://chromium-review.googlesource.com/1146297
      Commit-Queue: Caitlin Potter <caitp@igalia.com>
      Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarMichael Stanton <mvstanton@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#54706}
      d6efcbf0