[builtins] Properly handle DICTIONARY_ELEMENTS in Promise.all closures.

Bug: chromium:820312 Change-Id: Ie9237a5c53ac7121e469af460a2f0ad5016d9d03 Reviewed-on: https://chromium-review.googlesource.com/957090 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#51844}

[builtins] Properly handle DICTIONARY_ELEMENTS in Promise.all closures.
Bug: chromium:820312 Change-Id: Ie9237a5c53ac7121e469af460a2f0ad5016d9d03 Reviewed-on: https://chromium-review.googlesource.com/957090 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#51844}
fd29e1d8 · Benedikt Meurer · Commit Bot · b10dc352 · fd29e1d8 · fd29e1d8
Commit fd29e1d8 authored Mar 09, 2018 by Benedikt Meurer Committed by Commit Bot Mar 09, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 0 deletions

builtins-promise-gen.cc src/builtins/builtins-promise-gen.cc +4 -0

regress-crbug-820312.js test/mjsunit/regress/regress-crbug-820312.js +26 -0

No files found.
--- a/src/builtins/builtins-promise-gen.cc
+++ b/src/builtins/builtins-promise-gen.cc
@@ -1980,6 +1980,10 @@ TF_BUILTIN(PromiseAllResolveElementClosure, PromiseBuiltinsAssembler) {
  {
    VARIABLE(var_elements, MachineRepresentation::kTagged,
             LoadElements(values_array));
+    // Check that the {values_array} is still in fast mode.
+    Node* const elements_kind = LoadMapElementsKind(LoadMap(values_array));
+    GotoIf(Word32Equal(elements_kind, Int32Constant(DICTIONARY_ELEMENTS)),
+           &runtime_set_element);
    PossiblyGrowElementsCapacity(SMI_PARAMETERS, PACKED_ELEMENTS, values_array,
                                 index, &var_elements, SmiConstant(1),
                                 &runtime_set_element);

--- a/test/mjsunit/regress/regress-crbug-820312.js
+++ b/test/mjsunit/regress/regress-crbug-820312.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let arr = new Array(0x10000);
+let resolve_element_closures = new Array(0x10000);
+
+for (let i = 0; i < arr.length; i++) {
+    arr[i] = new Promise(() => {});
+    arr[i].then = ((idx, resolve) => {
+        resolve_element_closures[idx] = resolve;
+    }).bind(null, i);
+}
+
+Promise.all(arr);
+
+// 0xffff is too large, transitions to DICTIONARY_ELEMENTS
+resolve_element_closures[0xffff]();
+
+// grows the capacity, the elements kind of the result array is still DICTIONARY_ELEMENTS, but the elements object of it is no more a dictionary.
+resolve_element_closures[100]();
+
+// You can observe that V8 crashes here in debug mode.
+resolve_element_closures[0xfffe]();