From e1f93a82f29624478c6da53d8ee6f5e0985f0862 Mon Sep 17 00:00:00 2001 From: "ishell@chromium.org" Date: Thu, 6 Nov 2014 11:49:34 +0000 Subject: [PATCH] Fix for an assertion failure in Map::FindTransitionToField(...). Appeared after r25136. BUG=chromium:430846 LOG=N R=verwaest@chromium.org Review URL: https://codereview.chromium.org/704183002 Cr-Commit-Position: refs/heads/master@{#25185} git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects-inl.h | 5 +++-- test/mjsunit/regress/regress-crbug-430846.js | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-430846.js diff --git a/src/objects-inl.h b/src/objects-inl.h index 85584c4..0288bfb 100644 --- a/src/objects-inl.h +++ b/src/objects-inl.h @@ -1886,8 +1886,9 @@ Handle Map::FindTransitionToField(Handle map, Handle key) { TransitionArray* transitions = map->transitions(); int transition = transitions->Search(FIELD, *key, NONE); if (transition == TransitionArray::kNotFound) return Handle::null(); - DCHECK_EQ(FIELD, transitions->GetTargetDetails(transition).type()); - DCHECK_EQ(NONE, transitions->GetTargetDetails(transition).attributes()); + PropertyDetails details = transitions->GetTargetDetails(transition); + if (details.type() != FIELD) return Handle::null(); + DCHECK_EQ(NONE, details.attributes()); return Handle(transitions->GetTarget(transition)); } diff --git a/test/mjsunit/regress/regress-crbug-430846.js b/test/mjsunit/regress/regress-crbug-430846.js new file mode 100644 index 0000000..3047c7f --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-430846.js @@ -0,0 +1,14 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo() { return 1; }; +var o1 = {}; +o1.foo = foo; + +var json = '{"foo": {"x": 1}}'; +var o2 = JSON.parse(json); +var o3 = JSON.parse(json); +assertTrue(%HaveSameMap(o2, o3)); -- 2.7.4