From eebb61a3f9218d1ea0055034e8213bcb5d1c7909 Mon Sep 17 00:00:00 2001
From: "dslomov@chromium.org"
 <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 14 Aug 2014 10:24:19 +0000
Subject: [PATCH] Fix OrderedHashTabelIterator accessors.

They might be undefined for uninitialized iterators.
The rest of the code is ready for this eventuality.

R=arv@chromium.org, adamk@chromium.org
BUG=403292
LOG=N

Review URL: https://codereview.chromium.org/468813003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23126 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects-inl.h                      |  4 +--
 src/objects.cc                         |  2 +-
 src/objects.h                          |  4 +--
 test/mjsunit/regress/regress-403292.js | 53 ++++++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 5 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-403292.js

diff --git a/src/objects-inl.h b/src/objects-inl.h
index 7e1c5b1..89ac974 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -6069,8 +6069,8 @@ ACCESSORS(JSCollection, table, Object, kTableOffset)
   }
 
 ORDERED_HASH_TABLE_ITERATOR_ACCESSORS(table, Object, kTableOffset)
-ORDERED_HASH_TABLE_ITERATOR_ACCESSORS(index, Smi, kIndexOffset)
-ORDERED_HASH_TABLE_ITERATOR_ACCESSORS(kind, Smi, kKindOffset)
+ORDERED_HASH_TABLE_ITERATOR_ACCESSORS(index, Object, kIndexOffset)
+ORDERED_HASH_TABLE_ITERATOR_ACCESSORS(kind, Object, kKindOffset)
 
 #undef ORDERED_HASH_TABLE_ITERATOR_ACCESSORS
 
diff --git a/src/objects.cc b/src/objects.cc
index 29af1d8..659d75d 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -16309,7 +16309,7 @@ Smi* OrderedHashTableIterator<Derived, TableType>::Next(JSArray* value_array) {
     FixedArray* array = FixedArray::cast(value_array->elements());
     static_cast<Derived*>(this)->PopulateValueArray(array);
     MoveNext();
-    return kind();
+    return Smi::cast(kind());
   }
   return Smi::FromInt(0);
 }
diff --git a/src/objects.h b/src/objects.h
index 2bb47e8..2f52094 100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -10175,10 +10175,10 @@ class OrderedHashTableIterator: public JSObject {
   DECL_ACCESSORS(table, Object)
 
   // [index]: The index into the data table.
-  DECL_ACCESSORS(index, Smi)
+  DECL_ACCESSORS(index, Object)
 
   // [kind]: The kind of iteration this is. One of the [Kind] enum values.
-  DECL_ACCESSORS(kind, Smi)
+  DECL_ACCESSORS(kind, Object)
 
 #ifdef OBJECT_PRINT
   void OrderedHashTableIteratorPrint(OStream& os);  // NOLINT
diff --git a/test/mjsunit/regress/regress-403292.js b/test/mjsunit/regress/regress-403292.js
new file mode 100644
index 0000000..4e7ba28
--- /dev/null
+++ b/test/mjsunit/regress/regress-403292.js
@@ -0,0 +1,53 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-natives-as=builtins --expose-gc
+
+var __v_7 = [];
+var __v_8 = {};
+var __v_10 = {};
+var __v_11 = this;
+var __v_12 = {};
+var __v_13 = {};
+var __v_14 = "";
+var __v_15 = {};
+try {
+__v_1 = {x:0};
+%OptimizeFunctionOnNextCall(__f_1);
+assertEquals("good", __f_1());
+delete __v_1.x;
+assertEquals("good", __f_1());
+} catch(e) { print("Caught: " + e); }
+try {
+__v_3 = new Set();
+__v_5 = new builtins.SetIterator(__v_3, -12);
+__v_4 = new Map();
+__v_6 = new builtins.MapIterator(__v_4, 2);
+__f_3(Array);
+} catch(e) { print("Caught: " + e); }
+function __f_4(__v_8, filter) {
+  function __f_6(v) {
+    for (var __v_4 in v) {
+      for (var __v_4 in v) {}
+    }
+    %OptimizeFunctionOnNextCall(filter);
+    return filter(v);
+  }
+  var __v_7 = eval(__v_8);
+  gc();
+  return __f_6(__v_7);
+}
+function __f_5(__v_6) {
+  var __v_5 = new Array(__v_6);
+  for (var __v_4 = 0; __v_4 < __v_6; __v_4++) __v_5.push('{}');
+  return __v_5;
+}
+try {
+try {
+  __v_8.test("\x80");
+  assertUnreachable();
+} catch (e) {
+}
+gc();
+} catch(e) { print("Caught: " + e); }
-- 
2.7.4