From 48e0d81205def0eb00c0557dba7b665360a5662c Mon Sep 17 00:00:00 2001 From: "bmeurer@chromium.org" Date: Tue, 8 Apr 2014 09:36:04 +0000 Subject: [PATCH] Fix invalid local property lookup for transitions. BUG=361025 LOG=y R=verwaest@chromium.org Review URL: https://codereview.chromium.org/224903023 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20570 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects.cc | 4 ++-- test/mjsunit/regress/regress-361025.js | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/regress/regress-361025.js diff --git a/src/objects.cc b/src/objects.cc index d370e12..d24af57 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -4228,8 +4228,8 @@ MaybeHandle JSObject::SetLocalPropertyIgnoreAttributes( name, value, attributes, value_type, mode, extensibility_check); } - if (lookup.IsFound() && - (lookup.type() == INTERCEPTOR || lookup.type() == CALLBACKS)) { + if (lookup.IsInterceptor() || + (lookup.IsDescriptorOrDictionary() && lookup.type() == CALLBACKS)) { object->LocalLookupRealNamedProperty(*name, &lookup); } diff --git a/test/mjsunit/regress/regress-361025.js b/test/mjsunit/regress/regress-361025.js new file mode 100644 index 0000000..74f50d8 --- /dev/null +++ b/test/mjsunit/regress/regress-361025.js @@ -0,0 +1,10 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --expose-gc + +var x = new Object(); +x.__defineGetter__('a', function() { return 7 }); +JSON.parse('{"a":2600753951}'); +gc(); -- 2.7.4