Fix element enumeration on String wrappers with dictionary elements

BUG=chromium:510426
LOG=n

Review URL: https://codereview.chromium.org/1246513002

Cr-Commit-Position: refs/heads/master@{#29745}

diff --git a/src/objects.cc b/src/objects.cc
index dad194f5d3a025f2906342bdbe6541e7286d6555..d0c415e6cd7df6c5a50a7e13aa8c403a119b7db0 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -13013,7 +13013,7 @@ int JSObject::GetOwnElementKeys(FixedArray* storage,
 
     case DICTIONARY_ELEMENTS: {
       if (storage != NULL) {
-        element_dictionary()->CopyKeysTo(storage, 0, filter,
+        element_dictionary()->CopyKeysTo(storage, counter, filter,
                                          SeededNumberDictionary::SORTED);
       }
       counter += element_dictionary()->NumberOfElementsFilterAttributes(filter);
@@ -13030,7 +13030,7 @@ int JSObject::GetOwnElementKeys(FixedArray* storage,
         SeededNumberDictionary* dictionary =
             SeededNumberDictionary::cast(arguments);
         if (storage != NULL) {
-          dictionary->CopyKeysTo(storage, 0, filter,
+          dictionary->CopyKeysTo(storage, counter, filter,
                                  SeededNumberDictionary::UNSORTED);
         }
         counter += dictionary->NumberOfElementsFilterAttributes(filter);

diff --git a/test/mjsunit/regress/regress-crbug-510426.js b/test/mjsunit/regress/regress-crbug-510426.js
new file mode 100644 (file)
index 0000000..c82dbac
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-510426.js
@@ -0,0 +1,7 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var s = new String('a');
+s[10000000] = 'bente';
+assertEquals(['0', '10000000'], Object.keys(s));