Allocate a new empty number dictionary when resetting elements

BUG=410332
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/545773003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23727 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/objects-inl.h

@@ -2897,9 +2897,6 @@ FixedArrayBase* Map::GetInitialElements() {
       GetHeap()->EmptyFixedTypedArrayForMap(this);
     DCHECK(!GetHeap()->InNewSpace(empty_array));
     return empty_array;
-  } else if (has_dictionary_elements()) {
-    DCHECK(!GetHeap()->InNewSpace(GetHeap()->empty_slow_element_dictionary()));
-    return GetHeap()->empty_slow_element_dictionary();
   } else {
     UNREACHABLE();
   }

src/objects.cc

@@ -4411,9 +4411,15 @@ void JSObject::MigrateSlowToFast(Handle<JSObject> object,
 
 
 void JSObject::ResetElements(Handle<JSObject> object) {
-  Heap* heap = object->GetIsolate()->heap();
-  CHECK(object->map() != heap->sloppy_arguments_elements_map());
-  object->set_elements(object->map()->GetInitialElements());
+  Isolate* isolate = object->GetIsolate();
+  CHECK(object->map() != isolate->heap()->sloppy_arguments_elements_map());
+  if (object->map()->has_dictionary_elements()) {
+    Handle<SeededNumberDictionary> new_elements =
+        SeededNumberDictionary::New(isolate, 0);
+    object->set_elements(*new_elements);
+  } else {
+    object->set_elements(object->map()->GetInitialElements());
+  }
 }
 
 

test/mjsunit/regress/regress-reset-dictionary-elements.js

@@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = [];
+a[10000] = 1;
+a.length = 0;
+a[1] = 1;
+a.length = 0;
+assertEquals(undefined, a[1]);
+
+var o = {};
+Object.freeze(o);
+assertEquals(undefined, o[1]);