Merged: Avoid adding integrity level transitions to deprecated maps.

Revision: a474dbce7e8756ca9e8e6c6141c3853e9a610532 BUG=chromium:956426 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=ishell@chromium.org Change-Id: Iac33264535ece91f572de266c56ea4dc39e29b45 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588462 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/branch-heads/7.5@{#14} Cr-Branched-From: 35b9bf5-refs/heads/7.5.288@{#1} Cr-Branched-From: 912b391-refs/heads/master@{#60911}
nwjs · Apr 30, 2019 · 7161a28 · 7161a28
1 parent 3f13eab
commit 7161a28
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
@@ -3867,6 +3867,7 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
   }
 
   Handle<Map> old_map(object->map(), isolate);
+  old_map = Map::Update(isolate, old_map);
   TransitionsAccessor transitions(isolate, old_map);
   Map transition = transitions.SearchSpecial(*transition_marker);
   if (!transition.is_null()) {

diff --git a/test/mjsunit/regress-956426.js b/test/mjsunit/regress-956426.js
@@ -0,0 +1,10 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var b = { x: 0, y: 0, 0: '' };
+var a = { x: 0, y: 100000000000, 0: '' };
+Object.seal(b);
+b.x = '';