Fix hole escape in dictionary mode Array.prototype.slice()

Bug: chromium:778668 Change-Id: I0d2cc2166aab93bb7cb5dcc6c72cdb0b335a655f Reviewed-on: https://chromium-review.googlesource.com/774263 Commit-Queue: Daniel Clifford <danno@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#49410}
2017-11-16 12:39:56 +01:00 · 2017-11-16 12:39:56 +01:00 · 4002bf96e3
commit 4002bf96e3
parent 0d5d2a1ede
3 changed files with 21 additions and 12 deletions
--- a/src/elements.cc
+++ b/src/elements.cc
@ -1444,17 +1444,16 @@ class DictionaryElementsAccessor
    int entry_count = source_dict->Capacity();
    for (int i = 0; i < entry_count; i++) {
      Object* key = source_dict->KeyAt(i);
-      if (!key->IsUndefined(isolate)) {
-        uint64_t key_value = NumberToInt64(key);
-        if (key_value >= start && key_value < end) {
-          Handle<NumberDictionary> dest_dict(
-              NumberDictionary::cast(result_array->elements()));
-          Handle<Object> value(source_dict->ValueAt(i), isolate);
-          PropertyDetails details = source_dict->DetailsAt(i);
-          PropertyAttributes attr = details.attributes();
-          AddImpl(result_array, static_cast<uint32_t>(key_value) - start, value,
-                  attr, 0);
-        }
+      if (!source_dict->ToKey(isolate, i, &key)) continue;
+      uint64_t key_value = NumberToInt64(key);
+      if (key_value >= start && key_value < end) {
+        Handle<NumberDictionary> dest_dict(
+            NumberDictionary::cast(result_array->elements()));
+        Handle<Object> value(source_dict->ValueAt(i), isolate);
+        PropertyDetails details = source_dict->DetailsAt(i);
+        PropertyAttributes attr = details.attributes();
+        AddImpl(result_array, static_cast<uint32_t>(key_value) - start, value,
+                attr, 0);
      }
    }

--- a/src/objects.cc
+++ b/src/objects.cc
@ -15616,7 +15616,6 @@ void Dictionary<Derived, Shape>::Print(std::ostream& os) {
  int capacity = dictionary->Capacity();
  for (int i = 0; i < capacity; i++) {
    Object* k = dictionary->KeyAt(i);
-    if (!Shape::IsLive(isolate, k)) continue;
    if (!dictionary->ToKey(isolate, i, &k)) continue;
    os << "\n   ";
    if (k->IsString()) {
--- a/test/mjsunit/regress/regress-784863.js
+++ b/test/mjsunit/regress/regress-784863.js
@ -0,0 +1,11 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+var __v_18522 = [ 4.2, true, false];
+Object.defineProperty(__v_18522, 2, {
+  get: function () {
+    return false;
+  },
+});
+__v_18522.shift();
+__v_18522.slice();