[CloneObjectIC] Avoid FieldType confusions

camillobruni · Commit Bot · commit 78e5763181c0 · 2018-10-19T11:03:21.000Z
Do not propagate FieldTypes for kField properties. Bug: chromium:881247 Change-Id: Ia6af451cd6f3ba22a9ced1f3b43fc4cfc8f7084e Reviewed-on: https://chromium-review.googlesource.com/c/1288637 Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#56813}
diff --git a/src/objects.cc b/src/objects.cc
@@ -10180,15 +10180,22 @@ Handle<DescriptorArray> DescriptorArray::CopyForFastObjectClone(
     Name* key = src->GetKey(i);
     PropertyDetails details = src->GetDetails(i);
 
-    SLOW_DCHECK(!key->IsPrivateField() && details.IsEnumerable() &&
-                details.kind() == kData);
+    DCHECK(!key->IsPrivateField());
+    DCHECK(details.IsEnumerable());
+    DCHECK_EQ(details.kind(), kData);
 
     // Ensure the ObjectClone property details are NONE, and that all source
     // details did not contain DONT_ENUM.
     PropertyDetails new_details(kData, NONE, details.location(),
                                 details.constness(), details.representation(),
                                 details.field_index());
-    descriptors->Set(i, key, src->GetValue(i), new_details);
+    // Do not propagate the field type of normal object fields from the
+    // original descriptors since FieldType changes don't create new maps.
+    MaybeObject* type = src->GetValue(i);
+    if (details.location() == PropertyLocation::kField) {
+      type = MaybeObject::FromObject(FieldType::Any());
+    }
+    descriptors->Set(i, key, type, new_details);
   }
 
   descriptors->Sort();
diff --git a/test/mjsunit/regress/regress-crbug-881247.js b/test/mjsunit/regress/regress-crbug-881247.js
@@ -0,0 +1,24 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const resolvedPromise = Promise.resolve();
+
+function spread() {
+  const result = { ...resolvedPromise };
+  %HeapObjectVerify(result);
+  return result;
+}
+
+resolvedPromise[undefined] =  {a:1};
+%HeapObjectVerify(resolvedPromise);
+
+spread();
+
+resolvedPromise[undefined] = undefined;
+%HeapObjectVerify(resolvedPromise);
+
+spread();
+%HeapObjectVerify(resolvedPromise);
