diff --git a/src/builtins/builtins-object.cc b/src/builtins/builtins-object.cc index 85254d5dcd..eba065e5b3 100644 --- a/src/builtins/builtins-object.cc +++ b/src/builtins/builtins-object.cc @@ -48,6 +48,10 @@ void Builtins::Generate_ObjectHasOwnProperty( &return_false, &call_runtime); assembler.Bind(&keyisindex); + // Handle negative keys in the runtime. + assembler.GotoIf( + assembler.IntPtrLessThan(var_index.value(), assembler.IntPtrConstant(0)), + &call_runtime); assembler.TryLookupElement(object, map, instance_type, var_index.value(), &return_true, &return_false, &call_runtime); diff --git a/src/code-stub-assembler.cc b/src/code-stub-assembler.cc index 248d8a80e6..41d3565516 100644 --- a/src/code-stub-assembler.cc +++ b/src/code-stub-assembler.cc @@ -5084,6 +5084,9 @@ void CodeStubAssembler::TryLookupElement(Node* object, Node* map, } Bind(&if_isdictionary); { + // Negative keys must be converted to property names. + GotoIf(IntPtrLessThan(intptr_index, IntPtrConstant(0)), if_bailout); + Variable var_entry(this, MachineType::PointerRepresentation()); Node* elements = LoadElements(object); NumberDictionaryLookup( diff --git a/test/mjsunit/regress/regress-crbug-673008.js b/test/mjsunit/regress/regress-crbug-673008.js new file mode 100644 index 0000000000..4e232fa99c --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-673008.js @@ -0,0 +1,23 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +var a = { + "33": true, + "-1": true +}; + +var strkeys = Object.keys(a).map(function(k) { return "" + k }); +var numkeys = Object.keys(a).map(function(k) { return +k }); +var keys = strkeys.concat(numkeys); + +keys.forEach(function(k) { + assertTrue(a.hasOwnProperty(k), + "property not found: " + k + "(" + (typeof k) + ")"); +}); + +var b = {}; +b.__proto__ = a; +keys.forEach(function(k) { + assertTrue(k in b, "property not found: " + k + "(" + (typeof k) + ")"); +});