From b531bbabd10422914dd209683dbbf5c2ee5772b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Mon, 5 Nov 2018 20:02:39 +0100 Subject: [PATCH] deps: patch V8 to 7.0.276.36 Refs: https://github.com/v8/v8/compare/7.0.276.35...7.0.276.36 --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/objects.cc | 13 +++++++--- .../mjsunit/regress/regress-crbug-881247.js | 24 +++++++++++++++++++ 3 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-881247.js diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index e476dff7bceb67..f43a776eac99d3 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 7 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 276 -#define V8_PATCH_LEVEL 35 +#define V8_PATCH_LEVEL 36 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc index d4af74b2bd3983..811656ad9afa43 100644 --- a/deps/v8/src/objects.cc +++ b/deps/v8/src/objects.cc @@ -10266,15 +10266,22 @@ Handle DescriptorArray::CopyForFastObjectClone( Name* key = src->GetKey(i); PropertyDetails details = src->GetDetails(i); - SLOW_DCHECK(!key->IsPrivateField() && details.IsEnumerable() && - details.kind() == kData); + DCHECK(!key->IsPrivateField()); + DCHECK(details.IsEnumerable()); + DCHECK_EQ(details.kind(), kData); // Ensure the ObjectClone property details are NONE, and that all source // details did not contain DONT_ENUM. PropertyDetails new_details(kData, NONE, details.location(), details.constness(), details.representation(), details.field_index()); - descriptors->Set(i, key, src->GetValue(i), new_details); + // Do not propagate the field type of normal object fields from the + // original descriptors since FieldType changes don't create new maps. + MaybeObject* type = src->GetValue(i); + if (details.location() == PropertyLocation::kField) { + type = MaybeObject::FromObject(FieldType::Any()); + } + descriptors->Set(i, key, type, new_details); } descriptors->Sort(); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-881247.js b/deps/v8/test/mjsunit/regress/regress-crbug-881247.js new file mode 100644 index 00000000000000..4605c3f51bc3b3 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-881247.js @@ -0,0 +1,24 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +const resolvedPromise = Promise.resolve(); + +function spread() { + const result = { ...resolvedPromise }; + %HeapObjectVerify(result); + return result; +} + +resolvedPromise[undefined] = {a:1}; +%HeapObjectVerify(resolvedPromise); + +spread(); + +resolvedPromise[undefined] = undefined; +%HeapObjectVerify(resolvedPromise); + +spread(); +%HeapObjectVerify(resolvedPromise);