[v8-dev] Re: Fix for 350887: CHECK failure on new_length->IsSmi() (issue 194803002)

[mvstanton]

Reviewers: Dmitry Lomov (chromium),

Message:
Committed patchset #1 manually as r19787 (presubmit successful).
Description:
Fix for 350887: CHECK failure on new_length->IsSmi()

In ElementsAccessorBase::SetLengthImpl for a dictionary array, we try to
optimize setting array length if the new length is a smi. However, we
refuse to set an array length to less than the index of the highest
non-configurable array element. This index may be outside of smi range.

Handle this case accordingly.

BUG=350887
LOG=N
R=dslo...@chromium.org

Committed: https://code.google.com/p/v8/source/detail?r=19787

Please review this at https://codereview.chromium.org/194803002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+21, -1 lines):
  M src/elements.cc
  A test/mjsunit/regress/regress-350887.js


Index: src/elements.cc
diff --git a/src/elements.cc b/src/elements.cc
index  
2e4667d4a06b81b5c9c3f78c108defc41e260bca..e80fccf5ff923d18979393b1741a3e9cff261bc4  
100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -1859,10 +1859,18 @@ MUST_USE_RESULT MaybeObject*  
ElementsAccessorBase<ElementsAccessorSubclass,
       MaybeObject* result = ElementsAccessorSubclass::
           SetLengthWithoutNormalize(backing_store, array, smi_length,  
value);
       if (!result->ToObject(&new_length)) return result;
-      ASSERT(new_length->IsSmi() || new_length->IsUndefined());
+      // even though the proposed length was a smi, new_length could
+      // still be a heap number because SetLengthWithoutNormalize doesn't
+      // allow the array length property to drop below the index of
+      // non-deletable elements.
+      ASSERT(new_length->IsSmi() || new_length->IsHeapNumber() ||
+             new_length->IsUndefined());
       if (new_length->IsSmi()) {
         array->set_length(Smi::cast(new_length));
         return array;
+      } else if (new_length->IsHeapNumber()) {
+        array->set_length(new_length);
+        return array;
       }
     } else {
       return ThrowArrayLengthRangeError(array->GetHeap());
Index: test/mjsunit/regress/regress-350887.js
diff --git a/test/mjsunit/regress/regress-350887.js  
b/test/mjsunit/regress/regress-350887.js
new file mode 100644
index  
0000000000000000000000000000000000000000..638aa30780dc0c9356ea5907ef815ea7a1c17967
--- /dev/null
+++ b/test/mjsunit/regress/regress-350887.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var arr = [];
+assertSame(0, arr.length);
+assertSame(undefined, arr[0]);
+Object.defineProperty(arr, '2501866687', { value: 4, configurable: false  
});
+// 2501866688 is out of smi range.
+assertSame(2501866688, arr.length);
+assertSame(undefined, arr[0]);
+arr.length = 0;


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.