Commit c8ed19ac authored by Jakob Kummerow's avatar Jakob Kummerow Committed by Commit Bot

Yet more size_t-index fixes

CSA::TryLookupElement must check the upper bound for dictionary-mode
indices.
The "stable map + accessor" branch of FastGetOwnValuesOrEntries must
construct its LookupIterator such that it handles the named/indexed
distinction correctly.

Bug: chromium:1029338,chromium:1029369
Change-Id: I17e74ed24c260c5cfc20c61616e75db7d347f7a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1943164
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65301}
parent a453f701
...@@ -9213,8 +9213,14 @@ void CodeStubAssembler::TryLookupElement(Node* object, Node* map, ...@@ -9213,8 +9213,14 @@ void CodeStubAssembler::TryLookupElement(Node* object, Node* map,
} }
BIND(&if_isdictionary); BIND(&if_isdictionary);
{ {
// Negative keys must be converted to property names. // Negative and too-large keys must be converted to property names.
GotoIf(IntPtrLessThan(intptr_index, IntPtrConstant(0)), if_bailout); if (Is64()) {
GotoIf(UintPtrLessThan(IntPtrConstant(JSArray::kMaxArrayIndex),
intptr_index),
if_bailout);
} else {
GotoIf(IntPtrLessThan(intptr_index, IntPtrConstant(0)), if_bailout);
}
TVARIABLE(IntPtrT, var_entry); TVARIABLE(IntPtrT, var_entry);
TNode<NumberDictionary> elements = CAST(LoadElements(object)); TNode<NumberDictionary> elements = CAST(LoadElements(object));
......
...@@ -1903,10 +1903,11 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastGetOwnValuesOrEntries( ...@@ -1903,10 +1903,11 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastGetOwnValuesOrEntries(
JSObject::FastPropertyAt(object, representation, field_index); JSObject::FastPropertyAt(object, representation, field_index);
} }
} else { } else {
LookupIterator it(isolate, object, next_key,
LookupIterator::OWN_SKIP_INTERCEPTOR);
DCHECK_EQ(LookupIterator::ACCESSOR, it.state());
ASSIGN_RETURN_ON_EXCEPTION_VALUE( ASSIGN_RETURN_ON_EXCEPTION_VALUE(
isolate, prop_value, isolate, prop_value, Object::GetProperty(&it), Nothing<bool>());
JSReceiver::GetProperty(isolate, object, next_key),
Nothing<bool>());
stable = object->map() == *map; stable = object->map() == *map;
*descriptors.location() = map->instance_descriptors().ptr(); *descriptors.location() = map->instance_descriptors().ptr();
} }
......
...@@ -104,3 +104,21 @@ ...@@ -104,3 +104,21 @@
v7[4294967297] = 1; v7[4294967297] = 1;
const v8 = Object.assign({}, v7); const v8 = Object.assign({}, v7);
})(); })();
// crbug.com/1029369
(function () {
let obj = {};
function AddProperty(o, k) {
Object.defineProperty(o, k, {});
if (!o.hasOwnProperty(k)) throw "Bug!";
}
AddProperty(obj, "1"); // Force dictionary-mode elements.
AddProperty(obj, 4294967295);
})();
// crbug.com/1029338
(function() {
var __v_11 = {};
__v_11.__defineGetter__(4294967295, function () {});
__v_12 = Object.entries(__v_11);
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment