Permalink
Browse files

[cloneobjectic] initialize property array before filling it

This avoids leaving the heap in an invalid state if a GC occurs during
population of the cloned property array, as is done in other IC
builtins.

BUG=chromium:904167, v8:7611
R=jkummerow@chromium.org, ishell@chromium.org

Change-Id: I0350ed2d65b72e299f7109b7d5aa86331f60e940
Reviewed-on: https://chromium-review.googlesource.com/c/1350282
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57879}
  • Loading branch information...
caitp authored and Commit Bot committed Nov 26, 2018
1 parent 3649dc1 commit 3729410578fc63793be84810694e861ec802c119
Showing with 16 additions and 0 deletions.
  1. +2 −0 src/ic/accessor-assembler.cc
  2. +14 −0 test/mjsunit/es9/regress/regress-904167.js
@@ -3616,6 +3616,8 @@ void AccessorAssembler::GenerateCloneObjectIC() {
auto mode = INTPTR_PARAMETERS;
var_properties = CAST(AllocatePropertyArray(length, mode));
FillPropertyArrayWithUndefined(var_properties.value(), IntPtrConstant(0),
length, mode);
CopyPropertyArrayValues(source_properties, var_properties.value(), length,
SKIP_WRITE_BARRIER, mode, DestroySource::kNo);
}
@@ -0,0 +1,14 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Previously, spreading in-object properties would always treat double fields
// as tagged, potentially dereferencing a Float64.
// Ensure that we don't fail an assert from --verify-heap when cloning a
// MutableHeapNumber in the CloneObjectIC handler case.
var src, clone;
for (var i = 0; i < 40000; i++) {
src = { ...i, x: -9007199254740991 };
clone = { ...src };
}

0 comments on commit 3729410

Please sign in to comment.