Skip to content

Commit 65079f1

Browse files
duongnhnCommit Bot
duongnhn
authored and
Commit Bot
committed
Handle nonextensible obj in Map::GetInitalElements
This code is triggered by Runtime_ArrayIncludes_Slow. The elements kind changes from DICTIONARY (with accessor property using Object.defineProperty) to empty DICTIONARY (by set the length to 0), to frozen/seal/nonextensible elements. This element kind transition happened in accessor property by Array.includes. Bug: v8:9894 Change-Id: I224ceb537ff358a30a6e00414c71d6fe18924bb4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1876994 Commit-Queue: Georg Neis <[email protected]> Reviewed-by: Georg Neis <[email protected]> Reviewed-by: Toon Verwaest <[email protected]> Cr-Commit-Position: refs/heads/master@{#64575}
1 parent 6d1c9af commit 65079f1

File tree

2 files changed

+50
-1
lines changed

2 files changed

+50
-1
lines changed

src/objects/map-inl.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,8 @@ void Map::SetEnumLength(int length) {
211211

212212
FixedArrayBase Map::GetInitialElements() const {
213213
FixedArrayBase result;
214-
if (has_fast_elements() || has_fast_string_wrapper_elements()) {
214+
if (has_fast_elements() || has_fast_string_wrapper_elements() ||
215+
has_any_nonextensible_elements()) {
215216
result = GetReadOnlyRoots().empty_fixed_array();
216217
} else if (has_fast_sloppy_arguments_elements()) {
217218
result = GetReadOnlyRoots().empty_sloppy_arguments_elements();

test/mjsunit/regress/regress-9894.js

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
// Copyright 2019 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
(function frozen() {
6+
const ary = [1.1]
7+
Object.defineProperty(ary, 0, {get:run_it} );
8+
9+
// v8::internal::Runtime_ArrayIncludes_Slow.
10+
ary.includes();
11+
12+
function run_it(el) {
13+
ary.length = 0;
14+
ary[0] = 1.1;
15+
Object.freeze(ary);
16+
return 2.2;
17+
}
18+
})();
19+
20+
(function seal() {
21+
const ary = [1.1]
22+
Object.defineProperty(ary, 0, {get:run_it} );
23+
24+
// v8::internal::Runtime_ArrayIncludes_Slow.
25+
ary.includes();
26+
27+
function run_it(el) {
28+
ary.length = 0;
29+
ary[0] = 1.1;
30+
Object.seal(ary);
31+
return 2.2;
32+
}
33+
})();
34+
35+
(function preventExtensions() {
36+
const ary = [1.1]
37+
Object.defineProperty(ary, 0, {get:run_it} );
38+
39+
// v8::internal::Runtime_ArrayIncludes_Slow.
40+
ary.includes();
41+
42+
function run_it(el) {
43+
ary.length = 0;
44+
ary[0] = 1.1;
45+
Object.preventExtensions(ary);
46+
return 2.2;
47+
}
48+
})();

0 commit comments

Comments
 (0)