[v8-dev] Guard ElementsAccessor::GetAttributes() call with empty_fixed_array check (issue 11299190)

Mon, 26 Nov 2012 17:35:44 -0800 

Reviewers: Toon Verwaest,

Message:
It seems like it might be cleaner to put these empty_fixed_array checks in
elements.cc instead of objects.cc, but the latter is where they are for other 
calls (like Get()).

Description:
Guard ElementsAccessor::GetAttributes() call with empty_fixed_array check

This avoids bogus calls to FixedDoubleArray::cast() if a
FastDoubleElements-backed array is empty.


Please review this at https://codereview.chromium.org/11299190/

SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/objects.cc
  A + test/mjsunit/regress/regress-observe-empty-double-array.js


Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index 944c5a15e596a885beb807833bdcc40e1fad9508..628d4f01a8f9d26d3402460e52b81df8d91ec52e 100644 
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3411,9 +3411,11 @@ PropertyAttributes JSObject::GetElementAttributeWithoutInterceptor( 
   HandleScope scope(isolate);
   Handle<JSReceiver> hreceiver(receiver);
   Handle<JSObject> holder(this);
-  PropertyAttributes attr = holder->GetElementsAccessor()->GetAttributes(
-      *hreceiver, *holder, index);
-  if (attr != ABSENT) return attr;
+  if (holder->elements() != isolate->heap()->empty_fixed_array()) {
+    PropertyAttributes attr = holder->GetElementsAccessor()->GetAttributes(
+        *hreceiver, *holder, index);
+    if (attr != ABSENT) return attr;
+  }

   if (holder->IsStringObjectWithCharacterAt(index)) {
     return static_cast<PropertyAttributes>(READ_ONLY | DONT_DELETE);
Index: test/mjsunit/regress/regress-observe-empty-double-array.js
diff --git a/test/mjsunit/fast-array-length.js b/test/mjsunit/regress/regress-observe-empty-double-array.js 
similarity index 87%
copy from test/mjsunit/fast-array-length.js
copy to test/mjsunit/regress/regress-observe-empty-double-array.js
index 42f2c38f49b1dd3a3c0ffa867f7db368df78e760..aea9c73b2291010870a01d496f2a299f6b40dcb2 100644 
--- a/test/mjsunit/fast-array-length.js
+++ b/test/mjsunit/regress/regress-observe-empty-double-array.js
@@ -25,13 +25,13 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-// Flags: --allow-natives-syntax
-
-// This is a regression test for overlapping key and value registers.
-
-
-var a = [0, 1, 2, 3, 4, 5];
-assertTrue(%HasFastSmiElements(a));
-a.length = (1 << 30);
-assertFalse(%HasFastSmiElements(a));
+// Flags: --harmony-observation --allow-natives-syntax
+//
+// Test passes if it does not crash.

+arr = [1.1];
+Object.observe(arr, function(){});
+arr.length = 0;
+assertTrue(%HasFastDoubleElements(arr));
+// Should not crash
+arr.push(1.1);


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to