Fix for 350887: CHECK failure on new_length->IsSmi()

In ElementsAccessorBase::SetLengthImpl for a dictionary array, we try to
optimize setting array length if the new length is a smi. However, we
refuse to set an array length to less than the index of the highest
non-configurable array element. This index may be outside of smi range.

Handle this case accordingly.

BUG=350887
LOG=N
R=dslomov@chromium.org

Review URL: https://codereview.chromium.org/194803002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19787 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 9abfab09
...@@ -1859,10 +1859,18 @@ MUST_USE_RESULT MaybeObject* ElementsAccessorBase<ElementsAccessorSubclass, ...@@ -1859,10 +1859,18 @@ MUST_USE_RESULT MaybeObject* ElementsAccessorBase<ElementsAccessorSubclass,
MaybeObject* result = ElementsAccessorSubclass:: MaybeObject* result = ElementsAccessorSubclass::
SetLengthWithoutNormalize(backing_store, array, smi_length, value); SetLengthWithoutNormalize(backing_store, array, smi_length, value);
if (!result->ToObject(&new_length)) return result; if (!result->ToObject(&new_length)) return result;
ASSERT(new_length->IsSmi() || new_length->IsUndefined()); // even though the proposed length was a smi, new_length could
// still be a heap number because SetLengthWithoutNormalize doesn't
// allow the array length property to drop below the index of
// non-deletable elements.
ASSERT(new_length->IsSmi() || new_length->IsHeapNumber() ||
new_length->IsUndefined());
if (new_length->IsSmi()) { if (new_length->IsSmi()) {
array->set_length(Smi::cast(new_length)); array->set_length(Smi::cast(new_length));
return array; return array;
} else if (new_length->IsHeapNumber()) {
array->set_length(new_length);
return array;
} }
} else { } else {
return ThrowArrayLengthRangeError(array->GetHeap()); return ThrowArrayLengthRangeError(array->GetHeap());
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var arr = [];
assertSame(0, arr.length);
assertSame(undefined, arr[0]);
Object.defineProperty(arr, '2501866687', { value: 4, configurable: false });
// 2501866688 is out of smi range.
assertSame(2501866688, arr.length);
assertSame(undefined, arr[0]);
arr.length = 0;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment