Reviewers: Mads Ager,
Description:
Bailout from PrepareSlowElementsForSort when hiting a key outside of
smi-range.
BUG=v8:1131
TEST=test/mjsunit/regress/regress-1131.js
Please review this at http://codereview.chromium.org/6469006/
SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/
Affected files:
M src/objects.cc
A test/mjsunit/regress/regress-1131.js
Index: src/objects.cc
===================================================================
--- src/objects.cc (revision 6701)
+++ src/objects.cc (working copy)
@@ -8565,10 +8565,20 @@
if (value->IsUndefined()) {
undefs++;
} else {
+ if (pos > static_cast<uint32_t>(Smi::kMaxValue)) {
+ // Adding an entry with the key beyond smi-range requires
+ // allocation. Bailout.
+ return Smi::FromInt(-1);
+ }
new_dict->AddNumberEntry(pos, value,
details)->ToObjectUnchecked();
pos++;
}
} else {
+ if (key > static_cast<uint32_t>(Smi::kMaxValue)) {
+ // Adding an entry with the key beyond smi-range requires
+ // allocation. Bailout.
+ return Smi::FromInt(-1);
+ }
new_dict->AddNumberEntry(key, value, details)->ToObjectUnchecked();
}
}
@@ -8577,6 +8587,11 @@
uint32_t result = pos;
PropertyDetails no_details = PropertyDetails(NONE, NORMAL);
while (undefs > 0) {
+ if (pos > static_cast<uint32_t>(Smi::kMaxValue)) {
+ // Adding an entry with the key beyond smi-range requires
+ // allocation. Bailout.
+ return Smi::FromInt(-1);
+ }
new_dict->AddNumberEntry(pos, Heap::undefined_value(), no_details)->
ToObjectUnchecked();
pos++;
Index: test/mjsunit/regress/regress-1131.js
===================================================================
--- test/mjsunit/regress/regress-1131.js (revision 0)
+++ test/mjsunit/regress/regress-1131.js (revision 0)
@@ -0,0 +1,29 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+var nonArray = { length: 4, 0: 42, 2: 37, 0xf7da5000: undefined, 4: 0 };
+Array.prototype.sort.call(nonArray);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
