From 7161a2895e34fe8f1af39e1a7ca7e956b52b9f56 Mon Sep 17 00:00:00 2001
From: Jaroslav Sevcik <jarin@chromium.org>
Date: Tue, 30 Apr 2019 09:28:37 +0200
Subject: [PATCH] Merged: Avoid adding integrity level transitions to
 deprecated maps.

Revision: a474dbce7e8756ca9e8e6c6141c3853e9a610532

BUG=chromium:956426
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=ishell@chromium.org

Change-Id: Iac33264535ece91f572de266c56ea4dc39e29b45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588462
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.5@{#14}
Cr-Branched-From: 35b9bf5cf697b1c0fe4313c1313782d626d2afaa-refs/heads/7.5.288@{#1}
Cr-Branched-From: 912b3912b4fc294083fadcac672571bb43c2f37e-refs/heads/master@{#60911}
---
 src/objects/js-objects.cc      |  1 +
 test/mjsunit/regress-956426.js | 10 ++++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 test/mjsunit/regress-956426.js

diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
index 5ed726f3387..841eec0edf4 100644
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -3867,6 +3867,7 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
   }
 
   Handle<Map> old_map(object->map(), isolate);
+  old_map = Map::Update(isolate, old_map);
   TransitionsAccessor transitions(isolate, old_map);
   Map transition = transitions.SearchSpecial(*transition_marker);
   if (!transition.is_null()) {
diff --git a/test/mjsunit/regress-956426.js b/test/mjsunit/regress-956426.js
new file mode 100644
index 00000000000..93ccd7d36db
--- /dev/null
+++ b/test/mjsunit/regress-956426.js
@@ -0,0 +1,10 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var b = { x: 0, y: 0, 0: '' };
+var a = { x: 0, y: 100000000000, 0: '' };
+Object.seal(b);
+b.x = '';