From 7bfc426fc92adb977e42d9bf912ffbd9f300a1aa Mon Sep 17 00:00:00 2001 From: "svenpanne@chromium.org" Date: Fri, 2 May 2014 06:02:00 +0000 Subject: [PATCH] Object.defineProperty shouldn't be a hint that we're constructing a dictionary. BUG=362870 LOG=y R=bmeurer@chromium.org Review URL: https://codereview.chromium.org/261583004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21109 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects.cc | 5 +++-- src/objects.h | 3 ++- src/runtime.cc | 24 ++++++++++++++++-------- src/runtime.h | 4 +++- test/mjsunit/regress/regress-362870.js | 18 ++++++++++++++++++ 5 files changed, 42 insertions(+), 12 deletions(-) create mode 100644 test/mjsunit/regress/regress-362870.js diff --git a/src/objects.cc b/src/objects.cc index b37cf3b..8651ee6 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -4306,7 +4306,8 @@ MaybeHandle JSObject::SetLocalPropertyIgnoreAttributes( PropertyAttributes attributes, ValueType value_type, StoreMode mode, - ExtensibilityCheck extensibility_check) { + ExtensibilityCheck extensibility_check, + StoreFromKeyed store_from_keyed) { Isolate* isolate = object->GetIsolate(); // Make sure that the top context does not change when doing callbacks or @@ -4347,7 +4348,7 @@ MaybeHandle JSObject::SetLocalPropertyIgnoreAttributes( ? OMIT_TRANSITION : INSERT_TRANSITION; // Neither properties nor transitions found. return AddProperty(object, name, value, attributes, SLOPPY, - MAY_BE_STORE_FROM_KEYED, extensibility_check, value_type, mode, flag); + store_from_keyed, extensibility_check, value_type, mode, flag); } Handle old_value = isolate->factory()->the_hole_value(); diff --git a/src/objects.h b/src/objects.h index 0291e85..4ea399e 100644 --- a/src/objects.h +++ b/src/objects.h @@ -2159,7 +2159,8 @@ class JSObject: public JSReceiver { PropertyAttributes attributes, ValueType value_type = OPTIMAL_REPRESENTATION, StoreMode mode = ALLOW_AS_CONSTANT, - ExtensibilityCheck extensibility_check = PERFORM_EXTENSIBILITY_CHECK); + ExtensibilityCheck extensibility_check = PERFORM_EXTENSIBILITY_CHECK, + StoreFromKeyed store_mode = MAY_BE_STORE_FROM_KEYED); static inline Handle ExpectedTransitionKey(Handle map); static inline Handle ExpectedTransitionTarget(Handle map); diff --git a/src/runtime.cc b/src/runtime.cc index b1f9e1f..c60b804 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -5290,7 +5290,9 @@ RUNTIME_FUNCTION(Runtime_DefineOrRedefineDataProperty) { Handle result; ASSIGN_RETURN_FAILURE_ON_EXCEPTION( isolate, result, - Runtime::ForceSetObjectProperty(js_object, name, obj_value, attr)); + Runtime::ForceSetObjectProperty( + js_object, name, obj_value, attr, + JSReceiver::CERTAINLY_NOT_STORE_FROM_KEYED)); return *result; } @@ -5402,10 +5404,12 @@ MaybeHandle Runtime::SetObjectProperty(Isolate* isolate, } -MaybeHandle Runtime::ForceSetObjectProperty(Handle js_object, - Handle key, - Handle value, - PropertyAttributes attr) { +MaybeHandle Runtime::ForceSetObjectProperty( + Handle js_object, + Handle key, + Handle value, + PropertyAttributes attr, + JSReceiver::StoreFromKeyed store_from_keyed) { Isolate* isolate = js_object->GetIsolate(); // Check if the given key is an array index. uint32_t index; @@ -5433,7 +5437,9 @@ MaybeHandle Runtime::ForceSetObjectProperty(Handle js_object, } else { if (name->IsString()) name = String::Flatten(Handle::cast(name)); return JSObject::SetLocalPropertyIgnoreAttributes( - js_object, name, value, attr); + js_object, name, value, attr, Object::OPTIMAL_REPRESENTATION, + ALLOW_AS_CONSTANT, JSReceiver::PERFORM_EXTENSIBILITY_CHECK, + store_from_keyed); } } @@ -5447,8 +5453,10 @@ MaybeHandle Runtime::ForceSetObjectProperty(Handle js_object, return JSObject::SetElement(js_object, index, value, attr, SLOPPY, false, DEFINE_PROPERTY); } else { - return JSObject::SetLocalPropertyIgnoreAttributes(js_object, name, value, - attr); + return JSObject::SetLocalPropertyIgnoreAttributes( + js_object, name, value, attr, Object::OPTIMAL_REPRESENTATION, + ALLOW_AS_CONSTANT, JSReceiver::PERFORM_EXTENSIBILITY_CHECK, + store_from_keyed); } } diff --git a/src/runtime.h b/src/runtime.h index fa478dd..a52811f 100644 --- a/src/runtime.h +++ b/src/runtime.h @@ -820,7 +820,9 @@ class Runtime : public AllStatic { Handle object, Handle key, Handle value, - PropertyAttributes attr); + PropertyAttributes attr, + JSReceiver::StoreFromKeyed store_from_keyed + = JSReceiver::MAY_BE_STORE_FROM_KEYED); MUST_USE_RESULT static MaybeHandle DeleteObjectProperty( Isolate* isolate, diff --git a/test/mjsunit/regress/regress-362870.js b/test/mjsunit/regress/regress-362870.js new file mode 100644 index 0000000..c8d3fe7 --- /dev/null +++ b/test/mjsunit/regress/regress-362870.js @@ -0,0 +1,18 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +// Adding a property via Object.defineProperty should not be taken as hint that +// we construct a dictionary, quite the opposite. +var obj = {}; + +for (var i = 0; i < 100; i++) { + Object.defineProperty(obj, "x" + i, { value: 31415 }); + Object.defineProperty(obj, "y" + i, { + get: function() { return 42; }, + set: function(value) { } + }); + assertTrue(%HasFastProperties(obj)); +} -- 2.7.4