%ObjectFreeze needs to exclude non-fast-path objects.

ClusterFuzz will call it with sloppy arguments and similar cases.

BUG=380049
LOG=N
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/315533002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21624 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/runtime.cc b/src/runtime.cc
index ff45190..cdea6e0 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3266,6 +3266,12 @@ RUNTIME_FUNCTION(Runtime_ObjectFreeze) {
   HandleScope scope(isolate);
   ASSERT(args.length() == 1);
   CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
+
+  // %ObjectFreeze is a fast path and these cases are handled elsewhere.
+  RUNTIME_ASSERT(!object->HasSloppyArgumentsElements() &&
+                 !object->map()->is_observed() &&
+                 !object->IsJSProxy());
+
   Handle<Object> result;
   ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, JSObject::Freeze(object));
   return *result;

diff --git a/test/mjsunit/regress/regress-380049.js b/test/mjsunit/regress/regress-380049.js
new file mode 100644 (file)
index 0000000..a78626c
--- /dev/null
+++ b/test/mjsunit/regress/regress-380049.js
@@ -0,0 +1,9 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a,b,c) { return arguments; }
+var f = foo(false, null, 40);
+assertThrows(function() { %ObjectFreeze(f); });