[elements] Omit fast path in PrependElementIndices

In PrependElementIndicesImpl we sort a FixedArray of indices potentially containing HeapNumbers. During the string conversion we might trigger a GC. This in turn might try to read a slot where we previously had a HeapNumber but the sort sneaked a SMI in there which is not a valid pointer. BUG=chromium:630561 Review-Url: https://codereview.chromium.org/2173653003 Cr-Commit-Position: refs/heads/master@{#37993}

[elements] Omit fast path in PrependElementIndices
In PrependElementIndicesImpl we sort a FixedArray of indices potentially containing HeapNumbers. During the string conversion we might trigger a GC. This in turn might try to read a slot where we previously had a HeapNumber but the sort sneaked a SMI in there which is not a valid pointer. BUG=chromium:630561 Review-Url: https://codereview.chromium.org/2173653003 Cr-Commit-Position: refs/heads/master@{#37993}
7ede61ed · cbruni · Commit bot · 348f6934 · 7ede61ed · 7ede61ed
Commit 7ede61ed authored Jul 23, 2016 by cbruni Committed by Commit bot Jul 23, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 12 deletions

elements.cc src/elements.cc +2 -12

regress-crbug-630561.js test/mjsunit/regress/regress-crbug-630561.js +13 -0

No files found.
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -1041,25 +1041,15 @@ class ElementsAccessorBase : public ElementsAccessor {
        combined_keys, &nof_indices);

    if (needs_sorting) {
-      SortIndices(combined_keys, nof_indices, SKIP_WRITE_BARRIER);
-      uint32_t array_length = 0;
+      SortIndices(combined_keys, nof_indices);
      // Indices from dictionary elements should only be converted after
      // sorting.
      if (convert == GetKeysConversion::kConvertToString) {
        for (uint32_t i = 0; i < nof_indices; i++) {
          Handle<Object> index_string = isolate->factory()->Uint32ToString(
-                  combined_keys->get(i)->Number());
+              combined_keys->get(i)->Number());
          combined_keys->set(i, *index_string);
        }
-      } else if (!(object->IsJSArray() &&
-                   JSArray::cast(*object)->length()->ToArrayLength(
-                       &array_length) &&
-                   array_length <= Smi::kMaxValue)) {
-        // Since we use std::sort above, the GC will no longer know where the
-        // HeapNumbers are.  For Arrays with valid Smi length, we are sure to
-        // have no HeapNumber indices and thus we can skip this step.
-        FIXED_ARRAY_ELEMENTS_WRITE_BARRIER(isolate->heap(), *combined_keys, 0,
-                                           nof_indices);
      }
    }


--- a/test/mjsunit/regress/regress-crbug-630561.js
+++ b/test/mjsunit/regress/regress-crbug-630561.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --gc-interval=30
+
+var dict_elements = {};
+
+for (var i= 0; i< 100; i++) {
+  dict_elements[2147483648 + i] = i;
+}
+
+var keys = Object.keys(dict_elements);