From 052f9e9b6d38bc67ebb233767826366d4036abec Mon Sep 17 00:00:00 2001 From: "bmeurer@chromium.org" Date: Thu, 24 Apr 2014 08:07:14 +0000 Subject: [PATCH] Make DescriptorArray::IsMoreGeneralThan() and DescriptorArray::Merge() compatible again. BUG=365172 LOG=y TEST=mjsunit/regress/regress-365172-[1-3] R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/255513005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects.cc | 4 ++++ test/mjsunit/regress/regress-365172-1.js | 13 +++++++++++++ test/mjsunit/regress/regress-365172-2.js | 13 +++++++++++++ test/mjsunit/regress/regress-365172-3.js | 14 ++++++++++++++ 4 files changed, 44 insertions(+) create mode 100644 test/mjsunit/regress/regress-365172-1.js create mode 100644 test/mjsunit/regress/regress-365172-2.js create mode 100644 test/mjsunit/regress/regress-365172-3.js diff --git a/src/objects.cc b/src/objects.cc index 95b2b06..224f71a 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -8520,6 +8520,10 @@ bool DescriptorArray::IsMoreGeneralThan(int verbatim, if (details.type() == CONSTANT) { if (other_details.type() != CONSTANT) return false; if (GetValue(descriptor) != other->GetValue(descriptor)) return false; + } else if (details.type() == FIELD && other_details.type() == FIELD) { + if (!other->GetFieldType(descriptor)->NowIs(GetFieldType(descriptor))) { + return false; + } } } diff --git a/test/mjsunit/regress/regress-365172-1.js b/test/mjsunit/regress/regress-365172-1.js new file mode 100644 index 0000000..ea68285 --- /dev/null +++ b/test/mjsunit/regress/regress-365172-1.js @@ -0,0 +1,13 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --track-field-types + +var b1 = {d: 1}; var b2 = {d: 2}; +var f1 = {x: 1}; var f2 = {x: 2}; +f1.b = b1; +f2.x = {}; +b2.d = 4.2; +f2.b = b2; +var x = f1.x; diff --git a/test/mjsunit/regress/regress-365172-2.js b/test/mjsunit/regress/regress-365172-2.js new file mode 100644 index 0000000..265901c --- /dev/null +++ b/test/mjsunit/regress/regress-365172-2.js @@ -0,0 +1,13 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --track-field-types + +var b1 = {d: 1}; var b2 = {d: 2}; +var f1 = {x: 1}; var f2 = {x: 2}; +f1.b = b1; +f2.x = {}; +b2.d = 4.2; +f2.b = b2; +%TryMigrateInstance(f1); diff --git a/test/mjsunit/regress/regress-365172-3.js b/test/mjsunit/regress/regress-365172-3.js new file mode 100644 index 0000000..103d3d0 --- /dev/null +++ b/test/mjsunit/regress/regress-365172-3.js @@ -0,0 +1,14 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --expose-gc --track-field-types + +function f1(a) { return {x:a, v:''}; } +function f2(a) { return {x:{v:a}, v:''}; } +function f3(a) { return {x:[], v:{v:''}}; } +f3([0]); +a = f1(1); +a.__defineGetter__('v', function() { gc(); return f2(this); }); +a.v; +f3(1); -- 2.7.4