From 63f1970c6cfc0257c5c9b0c10a82f9e2777ab4e7 Mon Sep 17 00:00:00 2001
From: "rossberg@chromium.org"
 <rossberg@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Tue, 25 Feb 2014 12:01:34 +0000
Subject: [PATCH] Fix crasher in Object.getOwnPropertySymbols

R=arv@chromium.org, mstarzinger@chromium.org
BUG=346141
LOG=Y

Review URL: https://codereview.chromium.org/177883002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects.cc                               | 12 +++++-------
 test/mjsunit/regress/regress-crbug-346141.js | 11 +++++++++++
 2 files changed, 16 insertions(+), 7 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-346141.js

diff --git a/src/objects.cc b/src/objects.cc
index e459332..410292d 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -15492,8 +15492,7 @@ int Dictionary<Shape, Key>::NumberOfElementsFilterAttributes(
   int result = 0;
   for (int i = 0; i < capacity; i++) {
     Object* k = HashTable<Shape, Key>::KeyAt(i);
-    if (HashTable<Shape, Key>::IsKey(k) &&
-        !FilterKey(k, filter)) {
+    if (HashTable<Shape, Key>::IsKey(k) && !FilterKey(k, filter)) {
       PropertyDetails details = DetailsAt(i);
       if (details.IsDeleted()) continue;
       PropertyAttributes attr = details.attributes();
@@ -15516,12 +15515,12 @@ void Dictionary<Shape, Key>::CopyKeysTo(
     FixedArray* storage,
     PropertyAttributes filter,
     typename Dictionary<Shape, Key>::SortMode sort_mode) {
-  ASSERT(storage->length() >= NumberOfEnumElements());
+  ASSERT(storage->length() >= NumberOfElementsFilterAttributes(filter));
   int capacity = HashTable<Shape, Key>::Capacity();
   int index = 0;
   for (int i = 0; i < capacity; i++) {
      Object* k = HashTable<Shape, Key>::KeyAt(i);
-     if (HashTable<Shape, Key>::IsKey(k)) {
+     if (HashTable<Shape, Key>::IsKey(k) && !FilterKey(k, filter)) {
        PropertyDetails details = DetailsAt(i);
        if (details.IsDeleted()) continue;
        PropertyAttributes attr = details.attributes();
@@ -15583,12 +15582,11 @@ void Dictionary<Shape, Key>::CopyKeysTo(
     int index,
     PropertyAttributes filter,
     typename Dictionary<Shape, Key>::SortMode sort_mode) {
-  ASSERT(storage->length() >= NumberOfElementsFilterAttributes(
-      static_cast<PropertyAttributes>(NONE)));
+  ASSERT(storage->length() >= NumberOfElementsFilterAttributes(filter));
   int capacity = HashTable<Shape, Key>::Capacity();
   for (int i = 0; i < capacity; i++) {
     Object* k = HashTable<Shape, Key>::KeyAt(i);
-    if (HashTable<Shape, Key>::IsKey(k)) {
+    if (HashTable<Shape, Key>::IsKey(k) && !FilterKey(k, filter)) {
       PropertyDetails details = DetailsAt(i);
       if (details.IsDeleted()) continue;
       PropertyAttributes attr = details.attributes();
diff --git a/test/mjsunit/regress/regress-crbug-346141.js b/test/mjsunit/regress/regress-crbug-346141.js
new file mode 100644
index 0000000..798b770
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-346141.js
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-symbols
+
+var s = Symbol()
+var o = {}
+o[s] = 2
+o[""] = 3
+Object.getOwnPropertySymbols(o)
-- 
2.7.4