From 80acb53d22fef525703dbb6f8add487f92425119 Mon Sep 17 00:00:00 2001
From: "dslomov@chromium.org" <dslomov@chromium.org>
Date: Thu, 16 Oct 2014 19:38:32 +0000
Subject: [PATCH] Harden CopyJSObject.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/489833004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24670 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/heap/heap.cc | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index 7c1b2b2..931d55e 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3716,12 +3716,14 @@ AllocationResult Heap::AllocateJSObject(JSFunction* constructor,
 
 
 AllocationResult Heap::CopyJSObject(JSObject* source, AllocationSite* site) {
-  // Never used to copy functions.  If functions need to be copied we
-  // have to be careful to clear the literals array.
-  SLOW_DCHECK(!source->IsJSFunction());
-
   // Make the clone.
   Map* map = source->map();
+
+  // We can only clone normal objects or arrays. Copying anything else
+  // will break invariants.
+  CHECK(map->instance_type() == JS_OBJECT_TYPE ||
+        map->instance_type() == JS_ARRAY_TYPE);
+
   int object_size = map->instance_size();
   HeapObject* clone;
 
-- 
2.7.4