Reviewers: danno,
Description:
Merged r12785 into 3.13 branch.
Fix deletion of hidden property with inline-stored hash.
[email protected]
BUG=chromium:157124
TEST=cctest/test-api/Regress157124
Please review this at https://codereview.chromium.org/11269003/
SVN Base: https://v8.googlecode.com/svn/branches/3.13
Affected files:
M src/objects.cc
M src/version.cc
M test/cctest/test-api.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
254cd26f57f9d6aef3ea2e12a1cda263e3b61e2c..bb31c379aad7fe7a9be1e3ad247e2efaeeabdf38
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3557,7 +3557,6 @@ Object* JSObject::GetHiddenProperty(String* key) {
ASSERT(!IsJSGlobalProxy());
MaybeObject* hidden_lookup =
GetHiddenPropertiesHashTable(ONLY_RETURN_INLINE_VALUE);
- ASSERT(!hidden_lookup->IsFailure()); // No failure when passing false
as arg.
Object* inline_value = hidden_lookup->ToObjectUnchecked();
if (inline_value->IsSmi()) {
@@ -3598,13 +3597,11 @@ MaybeObject* JSObject::SetHiddenProperty(String*
key, Object* value) {
return JSObject::cast(proxy_parent)->SetHiddenProperty(key, value);
}
ASSERT(!IsJSGlobalProxy());
-
- // If there is no backing store yet, store the identity hash inline.
MaybeObject* hidden_lookup =
GetHiddenPropertiesHashTable(ONLY_RETURN_INLINE_VALUE);
- ASSERT(!hidden_lookup->IsFailure());
Object* inline_value = hidden_lookup->ToObjectUnchecked();
+ // If there is no backing store yet, store the identity hash inline.
if (value->IsSmi() &&
key == GetHeap()->identity_hash_symbol() &&
(inline_value->IsUndefined() || inline_value->IsSmi())) {
@@ -3641,15 +3638,16 @@ void JSObject::DeleteHiddenProperty(String* key) {
JSObject::cast(proxy_parent)->DeleteHiddenProperty(key);
return;
}
+ ASSERT(!IsJSGlobalProxy());
MaybeObject* hidden_lookup =
GetHiddenPropertiesHashTable(ONLY_RETURN_INLINE_VALUE);
- ASSERT(!hidden_lookup->IsFailure()); // No failure when passing false
as arg.
- if (hidden_lookup->ToObjectUnchecked()->IsUndefined()) return;
+ Object* inline_value = hidden_lookup->ToObjectUnchecked();
+
// We never delete (inline-stored) identity hashes.
- ASSERT(!hidden_lookup->ToObjectUnchecked()->IsSmi());
+ ASSERT(key != GetHeap()->identity_hash_symbol());
+ if (inline_value->IsUndefined() || inline_value->IsSmi()) return;
- ObjectHashTable* hashtable =
- ObjectHashTable::cast(hidden_lookup->ToObjectUnchecked());
+ ObjectHashTable* hashtable = ObjectHashTable::cast(inline_value);
MaybeObject* delete_result = hashtable->Put(key,
GetHeap()->the_hole_value());
USE(delete_result);
ASSERT(!delete_result->IsFailure()); // Delete does not cause GC.
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
c8c8fc30b0d5c97a1710e19281d40fd3fe1973f0..8e7cd3da22e8f78f15776ac7c4310bf819ca047d
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 13
#define BUILD_NUMBER 7
-#define PATCH_LEVEL 4
+#define PATCH_LEVEL 5
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
index
1e12652c0a70aafe527b40be717e5f7c5b876cec..ff30a37ad3fa02a3885b7f93d5cf38e8f5975ea4
100644
--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -17445,6 +17445,16 @@ THREADED_TEST(Regress149912) {
}
+THREADED_TEST(Regress157124) {
+ v8::HandleScope scope;
+ LocalContext context;
+ Local<ObjectTemplate> templ = ObjectTemplate::New();
+ Local<Object> obj = templ->NewInstance();
+ obj->GetIdentityHash();
+ obj->DeleteHiddenValue(v8_str("Bug"));
+}
+
+
#ifndef WIN32
class ThreadInterruptTest {
public:
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev