Fix invalid local property lookup for transitions.

BUG=361025
LOG=y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/224903023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20570 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/objects.cc b/src/objects.cc
index d370e12..d24af57 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4228,8 +4228,8 @@ MaybeHandle<Object> JSObject::SetLocalPropertyIgnoreAttributes(
         name, value, attributes, value_type, mode, extensibility_check);
   }
 
-  if (lookup.IsFound() &&
-      (lookup.type() == INTERCEPTOR || lookup.type() == CALLBACKS)) {
+  if (lookup.IsInterceptor() ||
+      (lookup.IsDescriptorOrDictionary() && lookup.type() == CALLBACKS)) {
     object->LocalLookupRealNamedProperty(*name, &lookup);
   }
 

diff --git a/test/mjsunit/regress/regress-361025.js b/test/mjsunit/regress/regress-361025.js
new file mode 100644 (file)
index 0000000..74f50d8
--- /dev/null
+++ b/test/mjsunit/regress/regress-361025.js
@@ -0,0 +1,10 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+var x = new Object();
+x.__defineGetter__('a', function() { return 7 });
+JSON.parse('{"a":2600753951}');
+gc();