Avoid creating indexed elements at index maxUint32

The maximum indexed element size is maxUint32-1, not maxUint32, because the maximum length of elements is maxUint32. This patch tweaks the limit to switch to named properties as appropriate. BUG=v8:4516 LOG=Y R=adamk Review URL: https://codereview.chromium.org/1431503002 Cr-Commit-Position: refs/heads/master@{#31809}

Avoid creating indexed elements at index maxUint32
The maximum indexed element size is maxUint32-1, not maxUint32, because the maximum length of elements is maxUint32. This patch tweaks the limit to switch to named properties as appropriate. BUG=v8:4516 LOG=Y R=adamk Review URL: https://codereview.chromium.org/1431503002 Cr-Commit-Position: refs/heads/master@{#31809}
755fcc5f · littledan · Commit bot · 5736eb0c · 755fcc5f · 755fcc5f
Commit 755fcc5f authored Nov 05, 2015 by littledan Committed by Commit bot Nov 05, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

macros.py src/js/macros.py +3 -0

runtime.js src/js/runtime.js +1 -1

No files found.
--- a/src/js/macros.py
+++ b/src/js/macros.py
@@ -73,6 +73,9 @@ define kSafeArgumentsLength = 0x800000;
 # 2^53 - 1
 define kMaxSafeInteger = 9007199254740991;

+# 2^32 - 1
+define kMaxUint32 = 4294967295;
+
 # Strict mode flags for passing to %SetProperty
 define kSloppyMode = 0;
 define kStrictMode = 1;

--- a/src/js/runtime.js
+++ b/src/js/runtime.js
@@ -210,7 +210,7 @@ function ConcatIterableToArray(target, iterable) {
 // argument might not be less than 2**32-1. ES2015 ToLength semantics mean that
 // this is a concern at basically all callsites.
 function AddIndexedProperty(obj, index, value) {
-  if (index === TO_UINT32(index)) {
+  if (index === TO_UINT32(index) && index !== kMaxUint32) {
    %AddElement(obj, index, value);
  } else {
    %AddNamedProperty(obj, TO_STRING(index), value, NONE);