From 1dddf69fdc2e59d2c49be2c998056b6d613e5867 Mon Sep 17 00:00:00 2001 From: "verwaest@chromium.org" Date: Fri, 5 Sep 2014 11:38:22 +0000 Subject: [PATCH] Allocate a new empty number dictionary when resetting elements BUG=410332 LOG=y R=yangguo@chromium.org Review URL: https://codereview.chromium.org/545773003 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects-inl.h | 3 --- src/objects.cc | 12 +++++++++--- .../regress/regress-reset-dictionary-elements.js | 14 ++++++++++++++ 3 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 test/mjsunit/regress/regress-reset-dictionary-elements.js diff --git a/src/objects-inl.h b/src/objects-inl.h index 2123fa6e1..083d671d5 100644 --- a/src/objects-inl.h +++ b/src/objects-inl.h @@ -2897,9 +2897,6 @@ FixedArrayBase* Map::GetInitialElements() { GetHeap()->EmptyFixedTypedArrayForMap(this); DCHECK(!GetHeap()->InNewSpace(empty_array)); return empty_array; - } else if (has_dictionary_elements()) { - DCHECK(!GetHeap()->InNewSpace(GetHeap()->empty_slow_element_dictionary())); - return GetHeap()->empty_slow_element_dictionary(); } else { UNREACHABLE(); } diff --git a/src/objects.cc b/src/objects.cc index 24f32df6a..7b942ffd2 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -4411,9 +4411,15 @@ void JSObject::MigrateSlowToFast(Handle object, void JSObject::ResetElements(Handle object) { - Heap* heap = object->GetIsolate()->heap(); - CHECK(object->map() != heap->sloppy_arguments_elements_map()); - object->set_elements(object->map()->GetInitialElements()); + Isolate* isolate = object->GetIsolate(); + CHECK(object->map() != isolate->heap()->sloppy_arguments_elements_map()); + if (object->map()->has_dictionary_elements()) { + Handle new_elements = + SeededNumberDictionary::New(isolate, 0); + object->set_elements(*new_elements); + } else { + object->set_elements(object->map()->GetInitialElements()); + } } diff --git a/test/mjsunit/regress/regress-reset-dictionary-elements.js b/test/mjsunit/regress/regress-reset-dictionary-elements.js new file mode 100644 index 000000000..d3d093ec0 --- /dev/null +++ b/test/mjsunit/regress/regress-reset-dictionary-elements.js @@ -0,0 +1,14 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +var a = []; +a[10000] = 1; +a.length = 0; +a[1] = 1; +a.length = 0; +assertEquals(undefined, a[1]); + +var o = {}; +Object.freeze(o); +assertEquals(undefined, o[1]); -- 2.34.1