[runtime] Improve handling of enumeration index on global dictionary

sethbrenith · Commit Bot · commit 25d16574f83a · 2020-02-28T17:43:02.000Z
Bug: chromium:1056054 Change-Id: Ie1f2da98bc54a2ad5189cbe2ee1686fe1ef7019a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2079035 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com> Cr-Commit-Position: refs/heads/master@{#66504}
diff --git a/src/objects/objects.cc b/src/objects/objects.cc
@@ -7287,10 +7287,9 @@ int BaseNameDictionary<Derived, Shape>::NextEnumerationIndex(
   // Check whether the next enumeration index is valid.
   if (!PropertyDetails::IsValidIndex(index)) {
     // If not, we generate new indices for the properties.
-    int length = dictionary->NumberOfElements();
-
     Handle<FixedArray> iteration_order = IterationIndices(isolate, dictionary);
-    DCHECK_EQ(length, iteration_order->length());
+    int length = iteration_order->length();
+    DCHECK_LE(length, dictionary->NumberOfElements());
 
     // Iterate over the dictionary using the enumeration order and update
     // the dictionary with new enumeration indices.
@@ -7534,8 +7533,8 @@ void BaseNameDictionary<Derived, Shape>::CopyEnumKeysTo(
 template <typename Derived, typename Shape>
 Handle<FixedArray> BaseNameDictionary<Derived, Shape>::IterationIndices(
     Isolate* isolate, Handle<Derived> dictionary) {
-  int length = dictionary->NumberOfElements();
-  Handle<FixedArray> array = isolate->factory()->NewFixedArray(length);
+  Handle<FixedArray> array =
+      isolate->factory()->NewFixedArray(dictionary->NumberOfElements());
   ReadOnlyRoots roots(isolate);
   int array_size = 0;
   {
@@ -7547,7 +7546,13 @@ Handle<FixedArray> BaseNameDictionary<Derived, Shape>::IterationIndices(
       array->set(array_size++, Smi::FromInt(i.as_int()));
     }
 
-    DCHECK_EQ(array_size, length);
+    // The global dictionary doesn't track its deletion count, so we may iterate
+    // fewer entries than the count of elements claimed by the dictionary.
+    if (std::is_same<Derived, GlobalDictionary>::value) {
+      DCHECK_LE(array_size, dictionary->NumberOfElements());
+    } else {
+      DCHECK_EQ(array_size, dictionary->NumberOfElements());
+    }
 
     EnumIndexComparator<Derived> cmp(raw_dictionary);
     // Use AtomicSlot wrapper to ensure that std::sort uses atomic load and
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
@@ -177,6 +177,7 @@
   'regress/regress-crbug-217858': [SKIP],
   'regress/regress-crbug-808192': [SKIP],
   'regress/regress-crbug-941743': [SKIP],
+  'regress/regress-crbug-1056054': [SKIP],
   'regress/regress-create-exception': [SKIP],
 
   # These tests run out of stack space in debug mode.
diff --git a/test/mjsunit/regress/regress-crbug-1056054.js b/test/mjsunit/regress/regress-crbug-1056054.js
@@ -0,0 +1,16 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function (global) {
+  var e = [];
+  for (var i = 0; i < 1e5; ++i) {
+    e.push('a' + i);
+  }
+  for (var j = 0; j < 900; ++j) {
+    for(var i = 0; i < 1e4; ++i) {
+      global[e[i]] = j;
+      delete global[e[i]];
+    }
+  }
+})(this);
