[elements] Avoid NOP operation when shrinking HashTables

Avoid writing NumberOfElements to HashTable when it hasn't changed as the HashTable could be in RO_SPACE and this operation will crash. Bug: v8:841592 Change-Id: Iffadd567fc10aa9cd13d953da81275464b16c6c0 Reviewed-on: https://chromium-review.googlesource.com/1052693 Commit-Queue: Dan Elphick <delphick@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#53116}
2018-05-10 10:57:55 +01:00 · 2018-05-10 10:57:55 +01:00 · 0b4b14bc48
commit 0b4b14bc48
parent aab49f372f
2 changed files with 25 additions and 2 deletions
--- a/src/elements.cc
+++ b/src/elements.cc
@ -1465,8 +1465,10 @@ class DictionaryElementsAccessor
            }
          }

-          // Update the number of elements.
-          dict->ElementsRemoved(removed_entries);
+          if (removed_entries > 0) {
+            // Update the number of elements.
+            dict->ElementsRemoved(removed_entries);
+          }
        }
      }
    }
--- a/test/mjsunit/regress/regress-crbug-841592.js
+++ b/test/mjsunit/regress/regress-crbug-841592.js
@ -0,0 +1,21 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// a has packed SMI elements
+a = [];
+
+// a has dictionary elements
+a.length = 0xFFFFFFF;
+
+// a has dictionary elements and the backing array is
+// empty_slow_element_dictionary (length 0)
+a.length = 0;
+
+// a has dictionary elements and the backing array is
+// empty_slow_element_dictionary (length 0xFFFFFFF)
+a.length = 0xFFFFFFF;
+
+// This will crash if V8 attempts to remove 0 elements from
+// empty_slow_element_dictionary as it is in RO_SPACE.
+a.length = 1;