src/interpreter · b45fdb342a25e8bec633d99be8aaf2648a8f104d · Linshizhi / V8

[runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject · d6efcbf0

Caitlin Potter authored Jul 25, 2018

Includes fixes for several ClusterFuzz regressions:

1) fix an invalid Handle-cast in ic.cc (chromium:866282)

2) fix for improper accounting of used/unused inobject
fields, found by clusterfuzz (chromium:866357).

3) fix number of control outputs for the JSCloneObject
operator to be used by IfSuccess and IfException nodes (chromium:866727).

4) fix property constness in out-of-object properties of fast-cloned
object to be compatible with DCHECKs in StoreIC (chromium:866861).

Also includes the fixups missing from the initial commit, and
regression tests

BUG=v8:7611, chromium:866282, chromium:866357, chromium:866727, chromium:866861
R=jkummerow@chromium.org, mvstanton@chromium.org
TBR=rmcilroy@chromium.org

Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
Reviewed-on: https://chromium-review.googlesource.com/1146297
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54706}

d6efcbf0

Name	Last commit	Last update
..
OWNERS		Loading commit data...
block-coverage-builder.h		Loading commit data...
bytecode-array-accessor.cc		Loading commit data...
bytecode-array-accessor.h		Loading commit data...
bytecode-array-builder.cc		Loading commit data...
bytecode-array-builder.h		Loading commit data...
bytecode-array-iterator.cc		Loading commit data...
bytecode-array-iterator.h		Loading commit data...
bytecode-array-random-iterator.cc		Loading commit data...
bytecode-array-random-iterator.h		Loading commit data...
bytecode-array-writer.cc		Loading commit data...
bytecode-array-writer.h		Loading commit data...
bytecode-decoder.cc		Loading commit data...
bytecode-decoder.h		Loading commit data...
bytecode-flags.cc		Loading commit data...
bytecode-flags.h		Loading commit data...
bytecode-generator.cc		Loading commit data...
bytecode-generator.h		Loading commit data...
bytecode-jump-table.h		Loading commit data...
bytecode-label.cc		Loading commit data...
bytecode-label.h		Loading commit data...
bytecode-node.cc		Loading commit data...
bytecode-node.h		Loading commit data...
bytecode-operands.cc		Loading commit data...
bytecode-operands.h		Loading commit data...
bytecode-register-allocator.h		Loading commit data...
bytecode-register-optimizer.cc		Loading commit data...
bytecode-register-optimizer.h		Loading commit data...
bytecode-register.cc		Loading commit data...
bytecode-register.h		Loading commit data...
bytecode-source-info.cc		Loading commit data...
bytecode-source-info.h		Loading commit data...
bytecode-traits.h		Loading commit data...
bytecodes.cc		Loading commit data...
bytecodes.h		Loading commit data...
constant-array-builder.cc		Loading commit data...
constant-array-builder.h		Loading commit data...
control-flow-builders.cc		Loading commit data...
control-flow-builders.h		Loading commit data...
handler-table-builder.cc		Loading commit data...
handler-table-builder.h		Loading commit data...
interpreter-assembler.cc		Loading commit data...
interpreter-assembler.h		Loading commit data...
interpreter-generator.cc		Loading commit data...
interpreter-generator.h		Loading commit data...
interpreter-intrinsics-generator.cc		Loading commit data...
interpreter-intrinsics-generator.h		Loading commit data...
interpreter-intrinsics.cc		Loading commit data...
interpreter-intrinsics.h		Loading commit data...
interpreter.cc		Loading commit data...
interpreter.h		Loading commit data...
setup-interpreter-internal.cc		Loading commit data...
setup-interpreter.h		Loading commit data...