diff options
| -rw-r--r-- | deps/v8/include/v8-version.h | 2 | ||||
| -rw-r--r-- | deps/v8/src/objects.cc | 13 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-crbug-881247.js | 24 |
3 files changed, 35 insertions, 4 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index e476dff7bc..f43a776eac 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 7 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 276 -#define V8_PATCH_LEVEL 35 +#define V8_PATCH_LEVEL 36 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc index d4af74b2bd..811656ad9a 100644 --- a/deps/v8/src/objects.cc +++ b/deps/v8/src/objects.cc @@ -10266,15 +10266,22 @@ Handle<DescriptorArray> DescriptorArray::CopyForFastObjectClone( Name* key = src->GetKey(i); PropertyDetails details = src->GetDetails(i); - SLOW_DCHECK(!key->IsPrivateField() && details.IsEnumerable() && - details.kind() == kData); + DCHECK(!key->IsPrivateField()); + DCHECK(details.IsEnumerable()); + DCHECK_EQ(details.kind(), kData); // Ensure the ObjectClone property details are NONE, and that all source // details did not contain DONT_ENUM. PropertyDetails new_details(kData, NONE, details.location(), details.constness(), details.representation(), details.field_index()); - descriptors->Set(i, key, src->GetValue(i), new_details); + // Do not propagate the field type of normal object fields from the + // original descriptors since FieldType changes don't create new maps. + MaybeObject* type = src->GetValue(i); + if (details.location() == PropertyLocation::kField) { + type = MaybeObject::FromObject(FieldType::Any()); + } + descriptors->Set(i, key, type, new_details); } descriptors->Sort(); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-881247.js b/deps/v8/test/mjsunit/regress/regress-crbug-881247.js new file mode 100644 index 0000000000..4605c3f51b --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-881247.js @@ -0,0 +1,24 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +const resolvedPromise = Promise.resolve(); + +function spread() { + const result = { ...resolvedPromise }; + %HeapObjectVerify(result); + return result; +} + +resolvedPromise[undefined] = {a:1}; +%HeapObjectVerify(resolvedPromise); + +spread(); + +resolvedPromise[undefined] = undefined; +%HeapObjectVerify(resolvedPromise); + +spread(); +%HeapObjectVerify(resolvedPromise); |