From: bmeurer@chromium.org Date: Thu, 24 Apr 2014 08:07:14 +0000 (+0000) Subject: Make DescriptorArray::IsMoreGeneralThan() and DescriptorArray::Merge() compatible... X-Git-Tag: upstream/4.7.83~9471 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=052f9e9b6d38bc67ebb233767826366d4036abec;p=platform%2Fupstream%2Fv8.git Make DescriptorArray::IsMoreGeneralThan() and DescriptorArray::Merge() compatible again. BUG=365172 LOG=y TEST=mjsunit/regress/regress-365172-[1-3] R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/255513005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/objects.cc b/src/objects.cc index 95b2b06..224f71a 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -8520,6 +8520,10 @@ bool DescriptorArray::IsMoreGeneralThan(int verbatim, if (details.type() == CONSTANT) { if (other_details.type() != CONSTANT) return false; if (GetValue(descriptor) != other->GetValue(descriptor)) return false; + } else if (details.type() == FIELD && other_details.type() == FIELD) { + if (!other->GetFieldType(descriptor)->NowIs(GetFieldType(descriptor))) { + return false; + } } } diff --git a/test/mjsunit/regress/regress-365172-1.js b/test/mjsunit/regress/regress-365172-1.js new file mode 100644 index 0000000..ea68285 --- /dev/null +++ b/test/mjsunit/regress/regress-365172-1.js @@ -0,0 +1,13 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --track-field-types + +var b1 = {d: 1}; var b2 = {d: 2}; +var f1 = {x: 1}; var f2 = {x: 2}; +f1.b = b1; +f2.x = {}; +b2.d = 4.2; +f2.b = b2; +var x = f1.x; diff --git a/test/mjsunit/regress/regress-365172-2.js b/test/mjsunit/regress/regress-365172-2.js new file mode 100644 index 0000000..265901c --- /dev/null +++ b/test/mjsunit/regress/regress-365172-2.js @@ -0,0 +1,13 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --track-field-types + +var b1 = {d: 1}; var b2 = {d: 2}; +var f1 = {x: 1}; var f2 = {x: 2}; +f1.b = b1; +f2.x = {}; +b2.d = 4.2; +f2.b = b2; +%TryMigrateInstance(f1); diff --git a/test/mjsunit/regress/regress-365172-3.js b/test/mjsunit/regress/regress-365172-3.js new file mode 100644 index 0000000..103d3d0 --- /dev/null +++ b/test/mjsunit/regress/regress-365172-3.js @@ -0,0 +1,14 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --expose-gc --track-field-types + +function f1(a) { return {x:a, v:''}; } +function f2(a) { return {x:{v:a}, v:''}; } +function f3(a) { return {x:[], v:{v:''}}; } +f3([0]); +a = f1(1); +a.__defineGetter__('v', function() { gc(); return f2(this); }); +a.v; +f3(1);