deps: V8: backport 3e010af

Original commit message: [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields Change the macros added in bf84766a2cd3e09070adcd6228a3a487c8dc4bbd to only do the hard work if FLAG_unbox_double_fields is unset (otherwise, they will attempt to dereference raw float64s, which is bad!) Also adds a write barrier in CopyPropertyArrayValues for each store if it's possible that a MutableHeapNumber is cloned. BUG=chromium:901301, chromium:902965, chromium:903070, v8:7611 R=cbruni@chromium.org, jkummerow@chromium.org, ishell@chromium.org Change-Id: I224d3c4e7b0a887684bff68985b4d97021ba4cfb Reviewed-on: https://chromium-review.googlesource.com/c/1323911 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#57368} PR-URL: https://github.com/nodejs/node/pull/25101 Refs: https://github.com/v8/v8/commit/3e010af274088493f3485d7a16dec4e31550e876 Fixes: https://github.com/nodejs/node/issues/25089 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com> Reviewed-By: Yang Guo <yangguo@chromium.org>
author: Ruben Bridgewater <ruben@bridgewater.de> 2018-12-20 14:34:20 +0100
committer: Daniel Bevenius <daniel.bevenius@gmail.com> 2018-12-21 07:28:52 +0100
commit: 4884ca6428c0069468beea0826d228e167ad9cea (patch)
tree: f91ac1c7e585a0ba2efec4faf597541d0ece179e /deps/v8/test/mjsunit/es9/regress/regress-902965.js
parent: b5784fe5d598c9c8076cacaad7105a05457b22b4 (diff)
download: android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.tar.gz
android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.tar.bz2
android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/deps/v8/test/mjsunit/es9/regress/regress-902965.js b/deps/v8/test/mjsunit/es9/regress/regress-902965.js
new file mode 100644
index 0000000000..e2035b242f
--- /dev/null
+++ b/deps/v8/test/mjsunit/es9/regress/regress-902965.js
@@ -0,0 +1,12 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Previously, spreading in-object properties would always treat double fields
+// as tagged, potentially dereferencing a Float64.
+function inobjectDouble() {
+  "use strict";
+  this.x = -3.9;
+}
+const instance = new inobjectDouble();
+const clone = { ...instance, };
author	Ruben Bridgewater <ruben@bridgewater.de>	2018-12-20 14:34:20 +0100
committer	Daniel Bevenius <daniel.bevenius@gmail.com>	2018-12-21 07:28:52 +0100
commit	4884ca6428c0069468beea0826d228e167ad9cea (patch)
tree	f91ac1c7e585a0ba2efec4faf597541d0ece179e /deps/v8/test/mjsunit/es9/regress/regress-902965.js
parent	b5784fe5d598c9c8076cacaad7105a05457b22b4 (diff)
download	android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.tar.gz android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.tar.bz2 android-node-v8-4884ca6428c0069468beea0826d228e167ad9cea.zip