Reviewers: Michael Starzinger,
Description:
Object.defineProperty shouldn't be a hint that we're constructing a
dictionary.
BUG=362870
LOG=y
Please review this at https://codereview.chromium.org/261583004/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+42, -12 lines):
M src/objects.h
M src/objects.cc
M src/runtime.h
M src/runtime.cc
A test/mjsunit/regress/regress-362870.js
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
27335933cad546a24b50080c045baa38f4388a32..cc92c682ad27a4b3f56fba5e7bbedaebff948d13
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4318,7 +4318,8 @@ MaybeHandle<Object>
JSObject::SetLocalPropertyIgnoreAttributes(
PropertyAttributes attributes,
ValueType value_type,
StoreMode mode,
- ExtensibilityCheck extensibility_check) {
+ ExtensibilityCheck extensibility_check,
+ StoreFromKeyed store_from_keyed) {
Isolate* isolate = object->GetIsolate();
// Make sure that the top context does not change when doing callbacks or
@@ -4359,7 +4360,7 @@ MaybeHandle<Object>
JSObject::SetLocalPropertyIgnoreAttributes(
? OMIT_TRANSITION : INSERT_TRANSITION;
// Neither properties nor transitions found.
return AddProperty(object, name, value, attributes, SLOPPY,
- MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode,
flag);
+ store_from_keyed, extensibility_check, value_type, mode, flag);
}
Handle<Object> old_value = isolate->factory()->the_hole_value();
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index
42f27641adf1396910892ef0e1dbcab3cd9b5640..fee0629542b001d850ad93d26b17aee5ff1ad12f
100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -2249,7 +2249,8 @@ class JSObject: public JSReceiver {
PropertyAttributes attributes,
ValueType value_type = OPTIMAL_REPRESENTATION,
StoreMode mode = ALLOW_AS_CONSTANT,
- ExtensibilityCheck extensibility_check =
PERFORM_EXTENSIBILITY_CHECK);
+ ExtensibilityCheck extensibility_check = PERFORM_EXTENSIBILITY_CHECK,
+ StoreFromKeyed store_mode = MAY_BE_STORE_FROM_KEYED);
static inline Handle<String> ExpectedTransitionKey(Handle<Map> map);
static inline Handle<Map> ExpectedTransitionTarget(Handle<Map> map);
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
6b7a446c5c962891345f8ba32ef13bc8ce4332a7..29284106fbed22fd475ae92873fd9ca3e2ff82c1
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -5275,7 +5275,9 @@
RUNTIME_FUNCTION(Runtime_DefineOrRedefineDataProperty) {
Handle<Object> result;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, result,
- Runtime::ForceSetObjectProperty(js_object, name, obj_value, attr));
+ Runtime::ForceSetObjectProperty(
+ js_object, name, obj_value, attr,
+ JSReceiver::CERTAINLY_NOT_STORE_FROM_KEYED));
return *result;
}
@@ -5387,10 +5389,12 @@ MaybeHandle<Object>
Runtime::SetObjectProperty(Isolate* isolate,
}
-MaybeHandle<Object> Runtime::ForceSetObjectProperty(Handle<JSObject>
js_object,
- Handle<Object> key,
- Handle<Object> value,
- PropertyAttributes
attr) {
+MaybeHandle<Object> Runtime::ForceSetObjectProperty(
+ Handle<JSObject> js_object,
+ Handle<Object> key,
+ Handle<Object> value,
+ PropertyAttributes attr,
+ JSReceiver::StoreFromKeyed store_from_keyed) {
Isolate* isolate = js_object->GetIsolate();
// Check if the given key is an array index.
uint32_t index;
@@ -5418,7 +5422,9 @@ MaybeHandle<Object>
Runtime::ForceSetObjectProperty(Handle<JSObject> js_object,
} else {
if (name->IsString()) name =
String::Flatten(Handle<String>::cast(name));
return JSObject::SetLocalPropertyIgnoreAttributes(
- js_object, name, value, attr);
+ js_object, name, value, attr, Object::OPTIMAL_REPRESENTATION,
+ ALLOW_AS_CONSTANT, JSReceiver::PERFORM_EXTENSIBILITY_CHECK,
+ store_from_keyed);
}
}
@@ -5432,8 +5438,10 @@ MaybeHandle<Object>
Runtime::ForceSetObjectProperty(Handle<JSObject> js_object,
return JSObject::SetElement(js_object, index, value, attr,
SLOPPY, false, DEFINE_PROPERTY);
} else {
- return JSObject::SetLocalPropertyIgnoreAttributes(js_object, name,
value,
- attr);
+ return JSObject::SetLocalPropertyIgnoreAttributes(
+ js_object, name, value, attr, Object::OPTIMAL_REPRESENTATION,
+ ALLOW_AS_CONSTANT, JSReceiver::PERFORM_EXTENSIBILITY_CHECK,
+ store_from_keyed);
}
}
Index: src/runtime.h
diff --git a/src/runtime.h b/src/runtime.h
index
eb28f837015ecd1843cd345fcb8f661008d8d36e..a47059d1f78028d84f2740ed6878cf10d2993852
100644
--- a/src/runtime.h
+++ b/src/runtime.h
@@ -819,7 +819,9 @@ class Runtime : public AllStatic {
Handle<JSObject> object,
Handle<Object> key,
Handle<Object> value,
- PropertyAttributes attr);
+ PropertyAttributes attr,
+ JSReceiver::StoreFromKeyed store_from_keyed
+ = JSReceiver::MAY_BE_STORE_FROM_KEYED);
MUST_USE_RESULT static MaybeHandle<Object> DeleteObjectProperty(
Isolate* isolate,
Index: test/mjsunit/regress/regress-362870.js
diff --git a/test/mjsunit/regress/regress-362870.js
b/test/mjsunit/regress/regress-362870.js
new file mode 100644
index
0000000000000000000000000000000000000000..c8d3fe7e4b77ec42d678711a7bdf7f0b1cfe2150
--- /dev/null
+++ b/test/mjsunit/regress/regress-362870.js
@@ -0,0 +1,18 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Adding a property via Object.defineProperty should not be taken as hint
that
+// we construct a dictionary, quite the opposite.
+var obj = {};
+
+for (var i = 0; i < 100; i++) {
+ Object.defineProperty(obj, "x" + i, { value: 31415 });
+ Object.defineProperty(obj, "y" + i, {
+ get: function() { return 42; },
+ set: function(value) { }
+ });
+ assertTrue(%HasFastProperties(obj));
+}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
