[elements] update Dictionary in IncludesValue if own elements change

Ensure that receiver->elements() == *dictionary after calling an accessor, in addition to checking the prototype. BUG=chromium:634273, chromium: 634357, v8:5162 R=cbruni@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2212963002 Cr-Commit-Position: refs/heads/master@{#38347}

[elements] update Dictionary in IncludesValue if own elements change
Ensure that receiver->elements() == *dictionary after calling an accessor, in addition to checking the prototype. BUG=chromium:634273, chromium: 634357, v8:5162 R=cbruni@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2212963002 Cr-Commit-Position: refs/heads/master@{#38347}
9977a2ca · caitp · Commit bot · a2496b94 · 9977a2ca · 9977a2ca
Commit 9977a2ca authored Aug 04, 2016 by caitp Committed by Commit bot Aug 04, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 47 additions and 3 deletions

elements.cc src/elements.cc +19 -3

regress-634273.js test/mjsunit/es7/regress/regress-634273.js +14 -0

regress-634357.js test/mjsunit/es7/regress/regress-634357.js +14 -0

No files found.
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -1519,7 +1519,7 @@ class DictionaryElementsAccessor
        continue;
      }

-      PropertyDetails details = GetDetailsImpl(receiver->elements(), entry);
+      PropertyDetails details = GetDetailsImpl(*dictionary, entry);
      switch (details.kind()) {
        case kData: {
          Object* element_k = dictionary->ValueAt(entry);
@@ -1539,12 +1539,28 @@ class DictionaryElementsAccessor

          if (value->SameValueZero(*element_k)) return Just(true);

-          // Some mutation to the prototype elements may have occurred in
-          // accessor.
+          // Bailout to slow path if elements on prototype changed
          if (!JSObject::PrototypeHasNoElements(isolate, *receiver)) {
            return IncludesValueSlowPath(isolate, receiver, value, k + 1,
                                         length);
          }
+
+          // Continue if elements unchanged
+          if (*dictionary == receiver->elements()) continue;
+
+          // Otherwise, bailout or update elements
+          if (receiver->GetElementsKind() != DICTIONARY_ELEMENTS) {
+            if (receiver->map()->GetInitialElements() == receiver->elements()) {
+              // If switched to initial elements, return true if searching for
+              // undefined, and false otherwise.
+              return Just(search_for_hole);
+            }
+            // Otherwise, switch to slow path.
+            return IncludesValueSlowPath(isolate, receiver, value, k + 1,
+                                         length);
+          }
+          dictionary = handle(
+              SeededNumberDictionary::cast(receiver->elements()), isolate);
          break;
        }
      }

--- a/test/mjsunit/es7/regress/regress-634273.js
+++ b/test/mjsunit/es7/regress/regress-634273.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --enable-slow-asserts
+
+array = new Array(undefined, undefined, undefined);
+Object.defineProperty(array, 0, {
+  get: function() {
+    array.push(undefined, undefined);
+  }
+});
+array[0x80000] = 1;
+result = array.includes(new WeakMap());
--- a/test/mjsunit/es7/regress/regress-634357.js
+++ b/test/mjsunit/es7/regress/regress-634357.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --enable-slow-asserts
+
+array = new Array({}, {}, {});
+Object.defineProperty(array, 1, {
+  get: function() {
+    array.length = 0;
+    array[0] = -2147483648;
+  }
+});
+result = array.includes(new Intl.Collator());