Commit 25d16574 authored by Seth Brenith's avatar Seth Brenith Committed by Commit Bot

[runtime] Improve handling of enumeration index on global dictionary

Bug: chromium:1056054
Change-Id: Ie1f2da98bc54a2ad5189cbe2ee1686fe1ef7019a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2079035Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#66504}
parent da900ffe
...@@ -7287,10 +7287,9 @@ int BaseNameDictionary<Derived, Shape>::NextEnumerationIndex( ...@@ -7287,10 +7287,9 @@ int BaseNameDictionary<Derived, Shape>::NextEnumerationIndex(
// Check whether the next enumeration index is valid. // Check whether the next enumeration index is valid.
if (!PropertyDetails::IsValidIndex(index)) { if (!PropertyDetails::IsValidIndex(index)) {
// If not, we generate new indices for the properties. // If not, we generate new indices for the properties.
int length = dictionary->NumberOfElements();
Handle<FixedArray> iteration_order = IterationIndices(isolate, dictionary); Handle<FixedArray> iteration_order = IterationIndices(isolate, dictionary);
DCHECK_EQ(length, iteration_order->length()); int length = iteration_order->length();
DCHECK_LE(length, dictionary->NumberOfElements());
// Iterate over the dictionary using the enumeration order and update // Iterate over the dictionary using the enumeration order and update
// the dictionary with new enumeration indices. // the dictionary with new enumeration indices.
...@@ -7534,8 +7533,8 @@ void BaseNameDictionary<Derived, Shape>::CopyEnumKeysTo( ...@@ -7534,8 +7533,8 @@ void BaseNameDictionary<Derived, Shape>::CopyEnumKeysTo(
template <typename Derived, typename Shape> template <typename Derived, typename Shape>
Handle<FixedArray> BaseNameDictionary<Derived, Shape>::IterationIndices( Handle<FixedArray> BaseNameDictionary<Derived, Shape>::IterationIndices(
Isolate* isolate, Handle<Derived> dictionary) { Isolate* isolate, Handle<Derived> dictionary) {
int length = dictionary->NumberOfElements(); Handle<FixedArray> array =
Handle<FixedArray> array = isolate->factory()->NewFixedArray(length); isolate->factory()->NewFixedArray(dictionary->NumberOfElements());
ReadOnlyRoots roots(isolate); ReadOnlyRoots roots(isolate);
int array_size = 0; int array_size = 0;
{ {
...@@ -7547,7 +7546,13 @@ Handle<FixedArray> BaseNameDictionary<Derived, Shape>::IterationIndices( ...@@ -7547,7 +7546,13 @@ Handle<FixedArray> BaseNameDictionary<Derived, Shape>::IterationIndices(
array->set(array_size++, Smi::FromInt(i.as_int())); array->set(array_size++, Smi::FromInt(i.as_int()));
} }
DCHECK_EQ(array_size, length); // The global dictionary doesn't track its deletion count, so we may iterate
// fewer entries than the count of elements claimed by the dictionary.
if (std::is_same<Derived, GlobalDictionary>::value) {
DCHECK_LE(array_size, dictionary->NumberOfElements());
} else {
DCHECK_EQ(array_size, dictionary->NumberOfElements());
}
EnumIndexComparator<Derived> cmp(raw_dictionary); EnumIndexComparator<Derived> cmp(raw_dictionary);
// Use AtomicSlot wrapper to ensure that std::sort uses atomic load and // Use AtomicSlot wrapper to ensure that std::sort uses atomic load and
......
...@@ -177,6 +177,7 @@ ...@@ -177,6 +177,7 @@
'regress/regress-crbug-217858': [SKIP], 'regress/regress-crbug-217858': [SKIP],
'regress/regress-crbug-808192': [SKIP], 'regress/regress-crbug-808192': [SKIP],
'regress/regress-crbug-941743': [SKIP], 'regress/regress-crbug-941743': [SKIP],
'regress/regress-crbug-1056054': [SKIP],
'regress/regress-create-exception': [SKIP], 'regress/regress-create-exception': [SKIP],
# These tests run out of stack space in debug mode. # These tests run out of stack space in debug mode.
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function (global) {
var e = [];
for (var i = 0; i < 1e5; ++i) {
e.push('a' + i);
}
for (var j = 0; j < 900; ++j) {
for(var i = 0; i < 1e4; ++i) {
global[e[i]] = j;
delete global[e[i]];
}
}
})(this);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment