[v8-dev] Fix element enumeration on String wrappers with dictionary elements (issue 1246513002 by adamk@chromium.org)

[adamk]

Reviewers: Michael Starzinger,

https://codereview.chromium.org/1246513002/diff/1/src/objects.cc
File src/objects.cc (right):

https://codereview.chromium.org/1246513002/diff/1/src/objects.cc#newcode13033
src/objects.cc:13033: dictionary->CopyKeysTo(storage, counter, filter,
This should always be zero anyway, but it seemed cleaner to switch this
call too.

Description:
Fix element enumeration on String wrappers with dictionary elements

BUG=chromium:510426
LOG=n

Please review this at https://codereview.chromium.org/1246513002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+5, -5 lines):
  M src/objects.cc
  A + test/mjsunit/regress/regress-crbug-510426.js


Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index  
dad194f5d3a025f2906342bdbe6541e7286d6555..d0c415e6cd7df6c5a50a7e13aa8c403a119b7db0  
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -13013,7 +13013,7 @@ int JSObject::GetOwnElementKeys(FixedArray* storage,

     case DICTIONARY_ELEMENTS: {
       if (storage != NULL) {
-        element_dictionary()->CopyKeysTo(storage, 0, filter,
+        element_dictionary()->CopyKeysTo(storage, counter, filter,
                                          SeededNumberDictionary::SORTED);
       }
       counter +=  
element_dictionary()->NumberOfElementsFilterAttributes(filter);
@@ -13030,7 +13030,7 @@ int JSObject::GetOwnElementKeys(FixedArray* storage,
         SeededNumberDictionary* dictionary =
             SeededNumberDictionary::cast(arguments);
         if (storage != NULL) {
-          dictionary->CopyKeysTo(storage, 0, filter,
+          dictionary->CopyKeysTo(storage, counter, filter,
                                  SeededNumberDictionary::UNSORTED);
         }
         counter += dictionary->NumberOfElementsFilterAttributes(filter);
Index: test/mjsunit/regress/regress-crbug-510426.js
diff --git a/test/message/arrow-param-after-rest-2.js  
b/test/mjsunit/regress/regress-crbug-510426.js
similarity index 63%
copy from test/message/arrow-param-after-rest-2.js
copy to test/mjsunit/regress/regress-crbug-510426.js
index  
3b42f1924705ffbc30094ec1288c696629c7da9b..c82dbacfa92908a6fe831835e9ef6d887c215534  
100644
--- a/test/message/arrow-param-after-rest-2.js
+++ b/test/mjsunit/regress/regress-crbug-510426.js
@@ -1,7 +1,7 @@
 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-//
-// Flags: --harmony-rest-parameters --harmony-arrow-functions

-(w, ...x, y) => 10
+var s = new String('a');
+s[10000000] = 'bente';
+assertEquals(['0', '10000000'], Object.keys(s));


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.