From b030a6f59d1f5a82b4d9c1ea53c4bfc844e71f68 Mon Sep 17 00:00:00 2001
From: ishell <ishell@chromium.org>
Date: Mon, 11 Jul 2016 08:48:54 -0700
Subject: [PATCH] [runtime] Follow-up fix for "Better encapsulation of
 dictionary objects handling in lookup iterator."

BUG=chromium:626715

Review-Url: https://codereview.chromium.org/2135253002
Cr-Commit-Position: refs/heads/master@{#37651}
---
 src/lookup.cc                                |  6 ++++-
 test/mjsunit/regress/regress-crbug-626715.js | 28 ++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-626715.js

diff --git a/src/lookup.cc b/src/lookup.cc
index 544b164a8b..4ab0a7f6ea 100644
--- a/src/lookup.cc
+++ b/src/lookup.cc
@@ -356,7 +356,11 @@ void LookupIterator::PrepareTransitionToDataProperty(
   state_ = TRANSITION;
   transition_ = transition;
 
-  if (!transition->is_dictionary_map()) {
+  if (transition->is_dictionary_map()) {
+    // Don't set enumeration index (it will be set during value store).
+    property_details_ =
+        PropertyDetails(attributes, i::DATA, 0, PropertyCellType::kNoCell);
+  } else {
     property_details_ = transition->GetLastDescriptorDetails();
     has_property_ = true;
   }
diff --git a/test/mjsunit/regress/regress-crbug-626715.js b/test/mjsunit/regress/regress-crbug-626715.js
new file mode 100644
index 0000000000..e842fa61c7
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-626715.js
@@ -0,0 +1,28 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Create a prototype object which has a lot of fast properties.
+var body = "";
+for (var i = 0; i < 100; i++) {
+  body += `this.a${i} = 0;\n`;
+}
+var Proto = new Function(body);
+
+function A() {}
+A.prototype = new Proto();
+
+// Create a object and add properties that already exist in the prototype.
+// At some point the object will turn into a dictionary mode and one of
+// the fast details from the prototype will be reinterpreted as a details
+// for a new property ...
+var o = new A();
+for (var i = 0; i < 100; i++) {
+  o["a" + i] = i;
+}
+
+// ... which will break the enumeration order of the slow properties.
+var names = Object.getOwnPropertyNames(o);
+for (var i = 0; i < 100; i++) {
+  assertEquals("a" + i, names[i]);
+}