|
|
@@ -0,0 +1,27 @@
|
|
|
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
+From: Shu-yu Guo <[email protected]>
|
|
|
+Date: Thu, 9 May 2024 12:03:28 -0700
|
|
|
+Subject: Only normalize JSObject targets in SetOrCopyDataProperties
|
|
|
+
|
|
|
+Bug: 339458194
|
|
|
+Change-Id: I4d6eebdd921971fa28d7c474535d978900ba633f
|
|
|
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5527397
|
|
|
+Reviewed-by: Rezvan Mahdavi Hezaveh <[email protected]>
|
|
|
+Commit-Queue: Shu-yu Guo <[email protected]>
|
|
|
+Cr-Commit-Position: refs/heads/main@{#93811}
|
|
|
+
|
|
|
+diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
|
|
|
+index a90f88a638530c565f279e249ff03d3385b01089..9cb671370b9abfd3939e382c33bae8da8491b487 100644
|
|
|
+--- a/src/objects/js-objects.cc
|
|
|
++++ b/src/objects/js-objects.cc
|
|
|
+@@ -434,9 +434,7 @@ Maybe<bool> JSReceiver::SetOrCopyDataProperties(
|
|
|
+ Nothing<bool>());
|
|
|
+
|
|
|
+ if (!from->HasFastProperties() && target->HasFastProperties() &&
|
|
|
+- !IsJSGlobalProxy(*target)) {
|
|
|
+- // JSProxy is always in slow-mode.
|
|
|
+- DCHECK(!IsJSProxy(*target));
|
|
|
++ IsJSObject(*target) && !IsJSGlobalProxy(*target)) {
|
|
|
+ // Convert to slow properties if we're guaranteed to overflow the number of
|
|
|
+ // descriptors.
|
|
|
+ int source_length;
|
Keeley Hammond