[runtime] Don't crash when creating an instance of a class inherited …

…from a Proxy. BUG=v8:4972 LOG=N Review-Url: https://codereview.chromium.org/1925803005 Cr-Commit-Position: refs/heads/master@{#35911}
crosswalk-project · Apr 29, 2016 · b83edcc · b83edcc
1 parent 45f52fc
commit b83edcc
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/src/objects.cc b/src/objects.cc
@@ -13164,7 +13164,9 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
   for (PrototypeIterator iter(isolate, this,
                               PrototypeIterator::START_AT_RECEIVER);
        !iter.IsAtEnd(); iter.Advance()) {
-    JSFunction* func = iter.GetCurrent<JSFunction>();
+    JSReceiver* current = iter.GetCurrent<JSReceiver>();
+    if (!current->IsJSFunction()) break;
+    JSFunction* func = JSFunction::cast(current);
     SharedFunctionInfo* shared = func->shared();
     expected_nof_properties += shared->expected_nof_properties();
     if (!IsSubclassConstructor(shared->kind())) {

diff --git a/test/mjsunit/regress/regress-v8-4972.js b/test/mjsunit/regress/regress-v8-4972.js
@@ -0,0 +1,5 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+new class extends new Proxy(class {},{}) {}