Fix cached EnumLength retrieval in JSObject::NumberOfOwnProperties

BUG=chromium:549162 LOG=n R=verwaest@chromium.org Review URL: https://codereview.chromium.org/1424293002 Cr-Commit-Position: refs/heads/master@{#31677}
2015-10-30 03:35:13 -07:00 · 2015-10-30 03:35:13 -07:00 · 70a2f537f6
commit 70a2f537f6
parent 47c0cb1d14
2 changed files with 14 additions and 1 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -14791,7 +14791,9 @@ int JSObject::NumberOfOwnProperties(PropertyAttributes filter) {
  if (HasFastProperties()) {
    Map* map = this->map();
    if (filter == NONE) return map->NumberOfOwnDescriptors();
-    if (filter & DONT_ENUM) {
+    if (filter == DONT_SHOW) {
+      // The cached enum length was computed with filter == DONT_SHOW, so
+      // that's the only filter for which it's valid to retrieve it.
      int result = map->EnumLength();
      if (result != kInvalidEnumCacheSentinel) return result;
    }
--- a/test/mjsunit/regress/regress-crbug-549162.js
+++ b/test/mjsunit/regress/regress-crbug-549162.js
@ -0,0 +1,11 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var s = Symbol("foo");
+var __v_13 = {}
+Object.defineProperty( __v_13, s, {value: {}, enumerable: true});
+for (var __v_14 in __v_13) {}
+__v_13 = {}
+Object.defineProperty( __v_13, s, {value: {}, enumerable: true});
+var __v_14 = Object.create(Object.prototype, __v_13)