Fix type confusion in libpac
From the upstream patch
(https://chromium.googlesource.com/v8/v8/+/ea55b873f2ed8336604540a532cbd460eeb66430%5E%21/#F0):
"""
Don't generate elements kind transitions from stable maps.
IC system does its best to properly mark stable transition source maps
as unstable (see https://chromium-review.googlesource.com/483442)
however an already recorded map can be deprecated later and the
optimizing compiler may try to generate an elements kind transition
from the updated version of deprecated map which can "become" stable
again.
"""
Bug: 117607414
Test: /data/nativetest/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest
Test: gts-tradefed run gts --test \
com.google.android.gts.devicepolicy.DeviceOwnerTest#testProxyPacProxyTest \
--module GtsGmscoreHostTestCases
Test: PoC from bug report
Merged-In: I2e02d994f107e64e4f465b4d8a02d4159a95240e
Change-Id: I12c501bffd190e20d4a45a4256a403c5343350eb
diff --git a/src/compiler/access-info.cc b/src/compiler/access-info.cc
index 8fef2f0..d563e1d 100644
--- a/src/compiler/access-info.cc
+++ b/src/compiler/access-info.cc
@@ -231,7 +231,8 @@
MapTransitionList transitions(maps.length());
for (Handle<Map> map : maps) {
if (Map::TryUpdate(map).ToHandle(&map)) {
- Map* transition_target =
+ Map* transition_target = map->is_stable() ?
+ nullptr :
map->FindElementsKindTransitionedMap(&possible_transition_targets);
if (transition_target == nullptr) {
receiver_maps.Add(map);
diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc
index d55bb37..df7b02f 100644
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@@ -7176,7 +7176,8 @@
// Get transition target for each map (NULL == no transition).
for (int i = 0; i < maps->length(); ++i) {
Handle<Map> map = maps->at(i);
- Map* transitioned_map =
+ Map* transitioned_map = map->is_stable() ?
+ nullptr :
map->FindElementsKindTransitionedMap(&possible_transitioned_maps);
if (transitioned_map != nullptr) {
transition_target.Add(handle(transitioned_map));
