From bd826d54f592663faa95f75b4a4b571c03e09346 Mon Sep 17 00:00:00 2001
From: "lrn@chromium.org"
 <lrn@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 8 Jun 2011 08:13:31 +0000
Subject: [PATCH] Fix bug in Object.defineProperty where a growing lements
 dictionary was ignored.

TEST=mjsunit/object-define-property

Review URL: http://codereview.chromium.org/7129017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8215 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/handles.cc                         | 14 ++++++++------
 src/handles.h                          | 11 ++++++-----
 src/runtime.cc                         |  6 +++++-
 test/mjsunit/object-define-property.js |  9 +++++++++
 4 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/src/handles.cc b/src/handles.cc
index 63f582ba86..59212802f5 100644
--- a/src/handles.cc
+++ b/src/handles.cc
@@ -228,12 +228,14 @@ void TransformToFastProperties(Handle<JSObject> object,
 }
 
 
-void NumberDictionarySet(Handle<NumberDictionary> dictionary,
-                         uint32_t index,
-                         Handle<Object> value,
-                         PropertyDetails details) {
-  CALL_HEAP_FUNCTION_VOID(dictionary->GetIsolate(),
-                          dictionary->Set(index, *value, details));
+Handle<NumberDictionary> NumberDictionarySet(
+    Handle<NumberDictionary> dictionary,
+    uint32_t index,
+    Handle<Object> value,
+    PropertyDetails details) {
+  CALL_HEAP_FUNCTION(dictionary->GetIsolate(),
+                     dictionary->Set(index, *value, details),
+                     NumberDictionary);
 }
 
 
diff --git a/src/handles.h b/src/handles.h
index d947b0d6b5..5c64cf5011 100644
--- a/src/handles.h
+++ b/src/handles.h
@@ -1,4 +1,4 @@
-// Copyright 2006-2008 the V8 project authors. All rights reserved.
+// Copyright 2011 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -173,10 +173,11 @@ void NormalizeProperties(Handle<JSObject> object,
 void NormalizeElements(Handle<JSObject> object);
 void TransformToFastProperties(Handle<JSObject> object,
                                int unused_property_fields);
-void NumberDictionarySet(Handle<NumberDictionary> dictionary,
-                         uint32_t index,
-                         Handle<Object> value,
-                         PropertyDetails details);
+MUST_USE_RESULT Handle<NumberDictionary> NumberDictionarySet(
+    Handle<NumberDictionary> dictionary,
+    uint32_t index,
+    Handle<Object> value,
+    PropertyDetails details);
 
 // Flattens a string.
 void FlattenString(Handle<String> str);
diff --git a/src/runtime.cc b/src/runtime.cc
index 60e39d675e..43d34510f4 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3914,7 +3914,11 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_DefineOrRedefineDataProperty) {
     // Make sure that we never go back to fast case.
     dictionary->set_requires_slow_elements();
     PropertyDetails details = PropertyDetails(attr, NORMAL);
-    NumberDictionarySet(dictionary, index, obj_value, details);
+    Handle<NumberDictionary> extended_dictionary =
+        NumberDictionarySet(dictionary, index, obj_value, details);
+    if (*extended_dictionary != *dictionary) {
+      js_object->set_elements(*extended_dictionary);
+    }
     return *obj_value;
   }
 
diff --git a/test/mjsunit/object-define-property.js b/test/mjsunit/object-define-property.js
index e08686ec52..ee6083a899 100644
--- a/test/mjsunit/object-define-property.js
+++ b/test/mjsunit/object-define-property.js
@@ -1045,3 +1045,12 @@ Object.defineProperty(o, 'p',
 testDefineProperty(o, 'p',
   { enumerable : false, configurable : false },
   { get: undefined, set: setter1, enumerable : false, configurable : false });
+
+
+// Regression test: Ensure that growing dictionaries are not ignored.
+o = {};
+for (var i = 0; i < 1000; i++) {
+  // Non-enumerable property forces dictionary mode.
+  Object.defineProperty(o, i, {value: i, enumerable: false});
+}
+assertEquals(999, o[999]);
\ No newline at end of file