[keys] Don't keep chain of OrderedHashSets in KeyAccumulator

Bug: chromium:831984 Change-Id: Ie13b22bc2491acc255557ba0325d8d53c22d6acb Reviewed-on: https://chromium-review.googlesource.com/1012874 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#52630}
2018-04-16 11:24:20 -07:00 · 2018-04-16 11:24:20 -07:00 · 7bb79b96bd
commit 7bb79b96bd
parent c536ea2dba
2 changed files with 18 additions and 1 deletions
--- a/src/keys.cc
+++ b/src/keys.cc
@ -77,7 +77,14 @@ void KeyAccumulator::AddKey(Handle<Object> key, AddKeyConversion convert) {
      Handle<String>::cast(key)->AsArrayIndex(&index)) {
    key = isolate_->factory()->NewNumberFromUint(index);
  }
-  keys_ = OrderedHashSet::Add(keys(), key);
+  Handle<OrderedHashSet> new_set = OrderedHashSet::Add(keys(), key);
+  if (*new_set != *keys_) {
+    // The keys_ Set is converted directly to a FixedArray in GetKeys which can
+    // be left-trimmer. Hence the previous Set should not keep a pointer to the
+    // new one.
+    keys_->set(OrderedHashTableBase::kNextTableIndex, Smi::kZero);
+    keys_ = new_set;
+  }
 }

 void KeyAccumulator::AddKeys(Handle<FixedArray> array,
--- a/test/mjsunit/regress/regress-crbug-831984.js
+++ b/test/mjsunit/regress/regress-crbug-831984.js
@ -0,0 +1,10 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+let arr = [...Array(9000)];
+for (let j = 0; j < 40; j++) {
+  Reflect.ownKeys(arr).shift();
+  Array(64386);
+}