[v8-dev] [v8] r8828 committed - This fixes chromium:91517....

Thu, 04 Aug 2011 05:48:11 -0700 

Revision: 8828
Author:   [email protected]
Date:     Thu Aug  4 05:46:37 2011
Log:      This fixes chromium:91517.
Review URL: http://codereview.chromium.org/7566032
http://code.google.com/p/v8/source/detail?r=8828

Added:
 /branches/3.4/test/mjsunit/regress/regress-91517.js
Modified:
 /branches/3.4
 /branches/3.4/src/objects.cc
 /branches/3.4/src/objects.h
 /branches/3.4/src/runtime.cc
 /branches/3.4/src/version.cc

=======================================
--- /dev/null
+++ /branches/3.4/test/mjsunit/regress/regress-91517.js Thu Aug 4 05:46:37 2011 
@@ -0,0 +1,112 @@
+// Copyright 2011 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Getting property names of an object with a prototype chain that
+// triggers dictionary elements in GetLocalPropertyNames() shouldn't
+// crash the runtime
+
+// Flags: --allow-natives-syntax
+
+function Object1() {
+  this.foo = 1;
+}
+
+function Object2() {
+  this.fuz = 2;
+  this.objects = new Object();
+  this.fuz1 = 2;
+  this.fuz2 = 2;
+  this.fuz3 = 2;
+  this.fuz4 = 2;
+  this.fuz5 = 2;
+  this.fuz6 = 2;
+  this.fuz7 = 2;
+  this.fuz8 = 2;
+  this.fuz9 = 2;
+  this.fuz10 = 2;
+  this.fuz11 = 2;
+  this.fuz12 = 2;
+  this.fuz13 = 2;
+  this.fuz14 = 2;
+  this.fuz15 = 2;
+  this.fuz16 = 2;
+  this.fuz17 = 2;
+  // Force dictionary-based properties
+  for (x=1;x<1000;x++) {
+    this["sdf" + x] = 2;
+  }
+}
+
+function Object3() {
+  this.boo = 3;
+}
+
+function Object4() {
+  this.baz = 4;
+}
+
+obj1 = new Object1();
+obj2 = new Object2();
+obj3 = new Object3();
+obj4 = new Object4();
+
+%SetHiddenPrototype(obj4, obj3);
+%SetHiddenPrototype(obj3, obj2);
+%SetHiddenPrototype(obj2, obj1);
+
+function contains(a, obj) {
+  for(var i = 0; i < a.length; i++) {
+    if(a[i] === obj){
+      return true;
+    }
+  }
+  return false;
+}
+names = %GetLocalPropertyNames(obj4);
+assertEquals(1021, names.length);
+assertTrue(contains(names, "baz"));
+assertTrue(contains(names, "boo"));
+assertTrue(contains(names, "foo"));
+assertTrue(contains(names, "fuz"));
+assertTrue(contains(names, "fuz1"));
+assertTrue(contains(names, "fuz2"));
+assertTrue(contains(names, "fuz3"));
+assertTrue(contains(names, "fuz4"));
+assertTrue(contains(names, "fuz5"));
+assertTrue(contains(names, "fuz6"));
+assertTrue(contains(names, "fuz7"));
+assertTrue(contains(names, "fuz8"));
+assertTrue(contains(names, "fuz9"));
+assertTrue(contains(names, "fuz10"));
+assertTrue(contains(names, "fuz11"));
+assertTrue(contains(names, "fuz12"));
+assertTrue(contains(names, "fuz13"));
+assertTrue(contains(names, "fuz14"));
+assertTrue(contains(names, "fuz15"));
+assertTrue(contains(names, "fuz16"));
+assertTrue(contains(names, "fuz17"));
+assertFalse(names[1020] == undefined);
=======================================
--- /branches/3.4/src/objects.cc        Wed Jul 20 06:44:42 2011
+++ /branches/3.4/src/objects.cc        Thu Aug  4 05:46:37 2011
@@ -9566,7 +9566,9 @@
     }
     ASSERT(storage->length() >= index);
   } else {
-    property_dictionary()->CopyKeysTo(storage, StringDictionary::UNSORTED);
+    property_dictionary()->CopyKeysTo(storage,
+                                      index,
+                                      StringDictionary::UNSORTED);
   }
 }

@@ -10316,6 +10318,7 @@

 template void Dictionary<StringDictionaryShape, String*>::CopyKeysTo(
     FixedArray*,
+    int,
     Dictionary<StringDictionaryShape, String*>::SortMode);

 template int
@@ -11414,11 +11417,11 @@
 template<typename Shape, typename Key>
 void Dictionary<Shape, Key>::CopyKeysTo(
     FixedArray* storage,
+    int index,
     typename Dictionary<Shape, Key>::SortMode sort_mode) {
   ASSERT(storage->length() >= NumberOfElementsFilterAttributes(
       static_cast<PropertyAttributes>(NONE)));
   int capacity = HashTable<Shape, Key>::Capacity();
-  int index = 0;
   for (int i = 0; i < capacity; i++) {
     Object* k = HashTable<Shape, Key>::KeyAt(i);
     if (HashTable<Shape, Key>::IsKey(k)) {
=======================================
--- /branches/3.4/src/objects.h Wed Jul 20 06:44:42 2011
+++ /branches/3.4/src/objects.h Thu Aug  4 05:46:37 2011
@@ -2761,7 +2761,7 @@
                   PropertyAttributes filter,
                   SortMode sort_mode);
   // Fill in details for properties into storage.
-  void CopyKeysTo(FixedArray* storage, SortMode sort_mode);
+  void CopyKeysTo(FixedArray* storage, int index, SortMode sort_mode);

   // Accessors for next enumeration index.
   void SetNextEnumerationIndex(int index) {
=======================================
--- /branches/3.4/src/runtime.cc        Wed Aug  3 06:38:05 2011
+++ /branches/3.4/src/runtime.cc        Thu Aug  4 05:46:37 2011
@@ -4460,9 +4460,10 @@
   // Get the property names.
   jsproto = obj;
   int proto_with_hidden_properties = 0;
+  int next_copy_index = 0;
   for (int i = 0; i < length; i++) {
-    jsproto->GetLocalPropertyNames(*names,
- i == 0 ? 0 : local_property_count[i - 1]); 
+    jsproto->GetLocalPropertyNames(*names, next_copy_index);
+    next_copy_index += local_property_count[i];
     if (!GetHiddenProperties(jsproto, false)->IsUndefined()) {
       proto_with_hidden_properties++;
     }
=======================================
--- /branches/3.4/src/version.cc        Wed Aug  3 06:38:05 2011
+++ /branches/3.4/src/version.cc        Thu Aug  4 05:46:37 2011
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     4
 #define BUILD_NUMBER      14
-#define PATCH_LEVEL       7
+#define PATCH_LEVEL       8
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to