Reviewers: Michael Starzinger,
Message:
PTAL.
Description:
Ensure correct enumeration indices in the dict
BUG=chromium:148376
Please review this at https://chromiumcodereview.appspot.com/10908216/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/objects.h
M src/objects.cc
A + test/mjsunit/regress/regress-crbug-148376.js
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
57882a4d20a0f8f3a64c9919c39d94c86f64df30..34d3364cfb159434827d3d7206d24b81d3b8d61f
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -487,11 +487,20 @@ MaybeObject* JSObject::SetNormalizedProperty(String*
name,
set_properties(StringDictionary::cast(dict));
return value;
}
- // Preserve enumeration index.
+
+ PropertyDetails original_details =
property_dictionary()->DetailsAt(entry);
+ int enumeration_index;
+ // Preserve the enumeration index unless the property was deleted.
+ if (original_details.IsDeleted()) {
+ enumeration_index = property_dictionary()->NextEnumerationIndex();
+ property_dictionary()->SetNextEnumerationIndex(enumeration_index + 1);
+ } else {
+ enumeration_index = original_details.dictionary_index();
+ ASSERT(enumeration_index != 0);
+ }
+
details = PropertyDetails(
- details.attributes(),
- details.type(),
- property_dictionary()->DetailsAt(entry).dictionary_index());
+ details.attributes(), details.type(), enumeration_index);
if (IsGlobalObject()) {
JSGlobalPropertyCell* cell =
@@ -9392,8 +9401,15 @@ MaybeObject* JSObject::SetDictionaryElement(uint32_t
index,
// is read-only (a declared const that has not been initialized).
If a
// value is being defined we skip attribute checks completely.
if (set_mode == DEFINE_PROPERTY) {
+ int enumeration_index;
+ if (details.dictionary_index() == 0 && !(attributes & DONT_ENUM)) {
+ enumeration_index = dictionary->NextEnumerationIndex();
+ dictionary->SetNextEnumerationIndex(enumeration_index + 1);
+ } else {
+ enumeration_index = details.dictionary_index();
+ }
details = PropertyDetails(
- attributes, NORMAL, details.dictionary_index());
+ attributes, NORMAL, enumeration_index);
dictionary->DetailsAtPut(entry, details);
} else if (details.IsReadOnly() && !element->IsTheHole()) {
if (strict_mode == kNonStrictMode) {
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index
45a2ac0d8fea0a40b462f824a013b2e0489c919b..b3b2b3872f95cf3ac9a188a1a388d86ebfc06042
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -3027,6 +3027,9 @@ class Dictionary: public HashTable<Shape, Key> {
// Set the details for entry.
void DetailsAtPut(int entry, PropertyDetails value) {
+ ASSERT(value.dictionary_index() != 0 ||
+ value.IsDontEnum() ||
+ value.IsDeleted());
this->set(HashTable<Shape, Key>::EntryToIndex(entry) + 2,
value.AsSmi());
}
Index: test/mjsunit/regress/regress-crbug-148376.js
diff --git a/test/mjsunit/regress/regress-110509.js
b/test/mjsunit/regress/regress-crbug-148376.js
similarity index 90%
copy from test/mjsunit/regress/regress-110509.js
copy to test/mjsunit/regress/regress-crbug-148376.js
index
132bd233bee32f6c84061049224ea43901dae06a..c05a37882543e71ca3bb67211ab9818e9ad8349c
100644
--- a/test/mjsunit/regress/regress-110509.js
+++ b/test/mjsunit/regress/regress-crbug-148376.js
@@ -27,15 +27,11 @@
// Flags: --allow-natives-syntax
-// Verify that LRandom preserves rsi correctly.
-
-function foo() {
- Math.random();
- new Function("");
+function defineSetter(o) {
+ o.__defineSetter__('property', function() {});
}
-foo();
-foo();
-foo();
-%OptimizeFunctionOnNextCall(foo);
-foo();
+defineSetter(Object.prototype);
+property = 0;
+defineSetter(this);
+var keys = Object.keys(this);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
