test · 208430c34a049808f822ba372f775284fe0acb99 · Linshizhi / V8

[runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject · d6efcbf0

Caitlin Potter authored Jul 25, 2018

Includes fixes for several ClusterFuzz regressions:

1) fix an invalid Handle-cast in ic.cc (chromium:866282)

2) fix for improper accounting of used/unused inobject
fields, found by clusterfuzz (chromium:866357).

3) fix number of control outputs for the JSCloneObject
operator to be used by IfSuccess and IfException nodes (chromium:866727).

4) fix property constness in out-of-object properties of fast-cloned
object to be compatible with DCHECKs in StoreIC (chromium:866861).

Also includes the fixups missing from the initial commit, and
regression tests

BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861
R=jkummerow@chromium.org, mvstanton@chromium.org
TBR=rmcilroy@chromium.org

Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
Reviewed-on: https://chromium-review.googlesource.com/1146297
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54706}

d6efcbf0

Name	Last commit	Last update
..
benchmarks		Loading commit data...
cctest		Loading commit data...
common		Loading commit data...
debugger		Loading commit data...
fuzzer		Loading commit data...
inspector		Loading commit data...
intl		Loading commit data...
js-perf-test		Loading commit data...
memory		Loading commit data...
message		Loading commit data...
mjsunit		Loading commit data...
mkgrokdump		Loading commit data...
mozilla		Loading commit data...
preparser		Loading commit data...
test262		Loading commit data...
torque		Loading commit data...
unittests		Loading commit data...
wasm-spec-tests		Loading commit data...
webkit		Loading commit data...
BUILD.gn		Loading commit data...