Handle nonextensible obj in Map::GetInitalElements

This code is triggered by Runtime_ArrayIncludes_Slow. The elements kind changes from DICTIONARY (with accessor property using Object.defineProperty) to empty DICTIONARY (by set the length to 0), to frozen/seal/nonextensible elements. This element kind transition happened in accessor property by Array.includes. Bug: v8:9894 Change-Id: I224ceb537ff358a30a6e00414c71d6fe18924bb4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876994 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#64575}

Handle nonextensible obj in Map::GetInitalElements
This code is triggered by Runtime_ArrayIncludes_Slow. The elements kind changes from DICTIONARY (with accessor property using Object.defineProperty) to empty DICTIONARY (by set the length to 0), to frozen/seal/nonextensible elements. This element kind transition happened in accessor property by Array.includes. Bug: v8:9894 Change-Id: I224ceb537ff358a30a6e00414c71d6fe18924bb4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876994 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#64575}
65079f10 · Z Nguyen-Huu · Commit Bot · 6d1c9afc · 65079f10 · 65079f10
Commit 65079f10 authored Oct 24, 2019 by Z Nguyen-Huu Committed by Commit Bot Oct 28, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 1 deletion

map-inl.h src/objects/map-inl.h +2 -1

regress-9894.js test/mjsunit/regress/regress-9894.js +48 -0

No files found.
--- a/src/objects/map-inl.h
+++ b/src/objects/map-inl.h
@@ -211,7 +211,8 @@ void Map::SetEnumLength(int length) {

 FixedArrayBase Map::GetInitialElements() const {
  FixedArrayBase result;
-  if (has_fast_elements() || has_fast_string_wrapper_elements()) {
+  if (has_fast_elements() || has_fast_string_wrapper_elements() ||
+      has_any_nonextensible_elements()) {
    result = GetReadOnlyRoots().empty_fixed_array();
  } else if (has_fast_sloppy_arguments_elements()) {
    result = GetReadOnlyRoots().empty_sloppy_arguments_elements();

--- a/test/mjsunit/regress/regress-9894.js
+++ b/test/mjsunit/regress/regress-9894.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function frozen() {
+  const ary = [1.1]
+  Object.defineProperty(ary, 0, {get:run_it} );
+
+  // v8::internal::Runtime_ArrayIncludes_Slow.
+  ary.includes();
+
+  function run_it(el) {
+    ary.length = 0;
+    ary[0] = 1.1;
+    Object.freeze(ary);
+    return 2.2;
+  }
+})();
+
+(function seal() {
+  const ary = [1.1]
+  Object.defineProperty(ary, 0, {get:run_it} );
+
+  // v8::internal::Runtime_ArrayIncludes_Slow.
+  ary.includes();
+
+  function run_it(el) {
+    ary.length = 0;
+    ary[0] = 1.1;
+    Object.seal(ary);
+    return 2.2;
+  }
+})();
+
+(function preventExtensions() {
+  const ary = [1.1]
+  Object.defineProperty(ary, 0, {get:run_it} );
+
+  // v8::internal::Runtime_ArrayIncludes_Slow.
+  ary.includes();
+
+  function run_it(el) {
+    ary.length = 0;
+    ary[0] = 1.1;
+    Object.preventExtensions(ary);
+    return 2.2;
+  }
+})();