diff options
| -rw-r--r-- | deps/v8/include/v8-version.h | 2 | ||||
| -rw-r--r-- | deps/v8/src/objects-inl.h | 49 | ||||
| -rw-r--r-- | deps/v8/src/objects.cc | 27 | ||||
| -rw-r--r-- | deps/v8/src/objects.h | 2 | ||||
| -rw-r--r-- | deps/v8/src/profiler/heap-snapshot-generator.cc | 2 | ||||
| -rw-r--r-- | deps/v8/test/cctest/test-heap-profiler.cc | 11 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-crbug-806388.js | 20 |
7 files changed, 77 insertions, 36 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 8c4bc02377..c3bd1dfe2d 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 4 #define V8_BUILD_NUMBER 388 -#define V8_PATCH_LEVEL 42 +#define V8_PATCH_LEVEL 44 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h index 77ad087268..1cbb299057 100644 --- a/deps/v8/src/objects-inl.h +++ b/deps/v8/src/objects-inl.h @@ -2231,7 +2231,8 @@ int Map::NumberOfOwnDescriptors() const { void Map::SetNumberOfOwnDescriptors(int number) { - DCHECK(number <= instance_descriptors()->number_of_descriptors()); + CHECK_LE(static_cast<unsigned>(number), + static_cast<unsigned>(kMaxNumberOfDescriptors)); set_bit_field3(NumberOfOwnDescriptorsBits::update(bit_field3(), number)); } @@ -2239,8 +2240,9 @@ int Map::EnumLength() const { return EnumLengthBits::decode(bit_field3()); } void Map::SetEnumLength(int length) { if (length != kInvalidEnumCacheSentinel) { - DCHECK_GE(length, 0); - DCHECK(length <= NumberOfOwnDescriptors()); + DCHECK_LE(length, NumberOfOwnDescriptors()); + CHECK_LE(static_cast<unsigned>(length), + static_cast<unsigned>(kMaxNumberOfDescriptors)); } set_bit_field3(EnumLengthBits::update(bit_field3(), length)); } @@ -3002,9 +3004,9 @@ int Map::instance_size() const { } void Map::set_instance_size(int value) { - DCHECK_EQ(0, value & (kPointerSize - 1)); + CHECK_EQ(0, value & (kPointerSize - 1)); value >>= kPointerSizeLog2; - DCHECK(0 <= value && value < 256); + CHECK_LT(static_cast<unsigned>(value), 256); set_instance_size_in_words(value); } @@ -3015,8 +3017,7 @@ int Map::inobject_properties_start_or_constructor_function_index() const { void Map::set_inobject_properties_start_or_constructor_function_index( int value) { - DCHECK_LE(0, value); - DCHECK_LT(value, 256); + CHECK_LT(static_cast<unsigned>(value), 256); RELAXED_WRITE_BYTE_FIELD( this, kInObjectPropertiesStartOrConstructorFunctionIndexOffset, static_cast<byte>(value)); @@ -3028,7 +3029,7 @@ int Map::GetInObjectPropertiesStartInWords() const { } void Map::SetInObjectPropertiesStartInWords(int value) { - DCHECK(IsJSObjectMap()); + CHECK(IsJSObjectMap()); set_inobject_properties_start_or_constructor_function_index(value); } @@ -3044,7 +3045,7 @@ int Map::GetConstructorFunctionIndex() const { void Map::SetConstructorFunctionIndex(int value) { - DCHECK(IsPrimitiveMap()); + CHECK(IsPrimitiveMap()); set_inobject_properties_start_or_constructor_function_index(value); } @@ -3153,8 +3154,7 @@ int Map::used_or_unused_instance_size_in_words() const { } void Map::set_used_or_unused_instance_size_in_words(int value) { - DCHECK_LE(0, value); - DCHECK_LE(value, 255); + CHECK_LE(static_cast<unsigned>(value), 255); WRITE_BYTE_FIELD(this, kUsedOrUnusedInstanceSizeInWordsOffset, static_cast<byte>(value)); } @@ -3172,12 +3172,12 @@ int Map::UsedInstanceSize() const { void Map::SetInObjectUnusedPropertyFields(int value) { STATIC_ASSERT(JSObject::kFieldsAdded == JSObject::kHeaderSize / kPointerSize); if (!IsJSObjectMap()) { - DCHECK_EQ(0, value); + CHECK_EQ(0, value); set_used_or_unused_instance_size_in_words(0); DCHECK_EQ(0, UnusedPropertyFields()); return; } - DCHECK_LE(0, value); + CHECK_LE(0, value); DCHECK_LE(value, GetInObjectProperties()); int used_inobject_properties = GetInObjectProperties() - value; set_used_or_unused_instance_size_in_words( @@ -3187,8 +3187,7 @@ void Map::SetInObjectUnusedPropertyFields(int value) { void Map::SetOutOfObjectUnusedPropertyFields(int value) { STATIC_ASSERT(JSObject::kFieldsAdded == JSObject::kHeaderSize / kPointerSize); - DCHECK_LE(0, value); - DCHECK_LT(value, JSObject::kFieldsAdded); + CHECK_LT(static_cast<unsigned>(value), JSObject::kFieldsAdded); // For out of object properties "used_instance_size_in_words" byte encodes // the slack in the property array. set_used_or_unused_instance_size_in_words(value); @@ -3227,8 +3226,8 @@ void Map::AccountAddedOutOfObjectPropertyField(int unused_in_property_array) { if (unused_in_property_array < 0) { unused_in_property_array += JSObject::kFieldsAdded; } - DCHECK_GE(unused_in_property_array, 0); - DCHECK_LT(unused_in_property_array, JSObject::kFieldsAdded); + CHECK_LT(static_cast<unsigned>(unused_in_property_array), + JSObject::kFieldsAdded); set_used_or_unused_instance_size_in_words(unused_in_property_array); DCHECK_EQ(unused_in_property_array, UnusedPropertyFields()); } @@ -3358,7 +3357,7 @@ bool Map::should_be_fast_prototype_map() const { } void Map::set_elements_kind(ElementsKind elements_kind) { - DCHECK_LT(static_cast<int>(elements_kind), kElementsKindCount); + CHECK_LT(static_cast<int>(elements_kind), kElementsKindCount); DCHECK_LE(kElementsKindCount, 1 << Map::ElementsKindBits::kSize); set_bit_field2(Map::ElementsKindBits::update(bit_field2(), elements_kind)); DCHECK(this->elements_kind() == elements_kind); @@ -3700,7 +3699,7 @@ Object* Map::prototype_info() const { void Map::set_prototype_info(Object* value, WriteBarrierMode mode) { - DCHECK(is_prototype_map()); + CHECK(is_prototype_map()); WRITE_FIELD(this, Map::kTransitionsOrPrototypeInfoOffset, value); CONDITIONAL_WRITE_BARRIER( GetHeap(), this, Map::kTransitionsOrPrototypeInfoOffset, value, mode); @@ -3708,11 +3707,11 @@ void Map::set_prototype_info(Object* value, WriteBarrierMode mode) { void Map::SetBackPointer(Object* value, WriteBarrierMode mode) { - DCHECK(instance_type() >= FIRST_JS_RECEIVER_TYPE); - DCHECK(value->IsMap()); - DCHECK(GetBackPointer()->IsUndefined(GetIsolate())); - DCHECK(!value->IsMap() || - Map::cast(value)->GetConstructor() == constructor_or_backpointer()); + CHECK_GE(instance_type(), FIRST_JS_RECEIVER_TYPE); + CHECK(value->IsMap()); + CHECK(GetBackPointer()->IsUndefined(GetIsolate())); + CHECK_IMPLIES(value->IsMap(), Map::cast(value)->GetConstructor() == + constructor_or_backpointer()); set_constructor_or_backpointer(value, mode); } @@ -3743,7 +3742,7 @@ FunctionTemplateInfo* Map::GetFunctionTemplateInfo() const { void Map::SetConstructor(Object* constructor, WriteBarrierMode mode) { // Never overwrite a back pointer with a constructor. - DCHECK(!constructor_or_backpointer()->IsMap()); + CHECK(!constructor_or_backpointer()->IsMap()); set_constructor_or_backpointer(constructor, mode); } diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc index 7b3c632a44..bd876e67d7 100644 --- a/deps/v8/src/objects.cc +++ b/deps/v8/src/objects.cc @@ -13014,14 +13014,19 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate, constructor_initial_map->UnusedPropertyFields(); int instance_size; int in_object_properties; - CalculateInstanceSizeForDerivedClass(function, instance_type, - embedder_fields, &instance_size, - &in_object_properties); + bool success = CalculateInstanceSizeForDerivedClass( + function, instance_type, embedder_fields, &instance_size, + &in_object_properties); int unused_property_fields = in_object_properties - pre_allocated; - Handle<Map> map = - Map::CopyInitialMap(constructor_initial_map, instance_size, - in_object_properties, unused_property_fields); + + Handle<Map> map; + if (success) { + map = Map::CopyInitialMap(constructor_initial_map, instance_size, + in_object_properties, unused_property_fields); + } else { + map = Map::CopyInitialMap(constructor_initial_map); + } map->set_new_target_is_base(false); JSFunction::SetInitialMap(function, map, prototype); @@ -13726,12 +13731,14 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type, requested_embedder_fields; } -void JSFunction::CalculateInstanceSizeForDerivedClass( +// static +bool JSFunction::CalculateInstanceSizeForDerivedClass( Handle<JSFunction> function, InstanceType instance_type, int requested_embedder_fields, int* instance_size, int* in_object_properties) { Isolate* isolate = function->GetIsolate(); int expected_nof_properties = 0; + bool result = true; for (PrototypeIterator iter(isolate, function, kStartAtReceiver); !iter.IsAtEnd(); iter.Advance()) { Handle<JSReceiver> current = @@ -13745,6 +13752,11 @@ void JSFunction::CalculateInstanceSizeForDerivedClass( Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) { DCHECK(shared->is_compiled()); expected_nof_properties += shared->expected_nof_properties(); + } else if (!shared->is_compiled()) { + // In case there was a compilation error for the constructor we will + // throw an error during instantiation. Hence we directly return 0; + result = false; + break; } if (!IsDerivedConstructor(shared->kind())) { break; @@ -13753,6 +13765,7 @@ void JSFunction::CalculateInstanceSizeForDerivedClass( CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields, expected_nof_properties, instance_size, in_object_properties); + return result; } diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h index a9be023ec8..521c0e6554 100644 --- a/deps/v8/src/objects.h +++ b/deps/v8/src/objects.h @@ -4082,7 +4082,7 @@ class JSFunction: public JSObject { DECL_CAST(JSFunction) // Calculate the instance size and in-object properties count. - static void CalculateInstanceSizeForDerivedClass( + static bool CalculateInstanceSizeForDerivedClass( Handle<JSFunction> function, InstanceType instance_type, int requested_embedder_fields, int* instance_size, int* in_object_properties); diff --git a/deps/v8/src/profiler/heap-snapshot-generator.cc b/deps/v8/src/profiler/heap-snapshot-generator.cc index 1f6459c904..6f3a952d1f 100644 --- a/deps/v8/src/profiler/heap-snapshot-generator.cc +++ b/deps/v8/src/profiler/heap-snapshot-generator.cc @@ -1113,8 +1113,6 @@ void V8HeapExplorer::ExtractMapReferences(int entry, Map* map) { constructor_or_backpointer, Map::kConstructorOrBackPointerOffset); } else { - DCHECK(constructor_or_backpointer->IsJSFunction() || - constructor_or_backpointer->IsNull(map->GetIsolate())); SetInternalReference(map, entry, "constructor", constructor_or_backpointer, Map::kConstructorOrBackPointerOffset); } diff --git a/deps/v8/test/cctest/test-heap-profiler.cc b/deps/v8/test/cctest/test-heap-profiler.cc index a0796ccd56..5a94708ba8 100644 --- a/deps/v8/test/cctest/test-heap-profiler.cc +++ b/deps/v8/test/cctest/test-heap-profiler.cc @@ -3184,3 +3184,14 @@ TEST(SamplingHeapProfilerSampleDuringDeopt) { CHECK(profile); heap_profiler->StopSamplingHeapProfiler(); } + +TEST(HeapSnapshotPrototypeNotJSReceiver) { + LocalContext env; + v8::HandleScope scope(env->GetIsolate()); + v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler(); + CompileRun( + "function object() {}" + "object.prototype = 42;"); + const v8::HeapSnapshot* snapshot = heap_profiler->TakeHeapSnapshot(); + CHECK(ValidateSnapshot(snapshot)); +} diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-806388.js b/deps/v8/test/mjsunit/regress/regress-crbug-806388.js new file mode 100644 index 0000000000..b55b50107e --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-806388.js @@ -0,0 +1,20 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --enable-slow-asserts --expose-gc + +class Derived extends Array { + constructor(a) { + // Syntax Error. + const a = 1; + } +} + +// Derived is not a subclass of RegExp +let o = Reflect.construct(RegExp, [], Derived); +o.lastIndex = 0x1234; +%HeapObjectVerify(o); + +gc(); +%HeapObjectVerify(o); |