Yet more size_t-index fixes

CSA::TryLookupElement must check the upper bound for dictionary-mode indices. The "stable map + accessor" branch of FastGetOwnValuesOrEntries must construct its LookupIterator such that it handles the named/indexed distinction correctly. Bug: chromium:1029338,chromium:1029369 Change-Id: I17e74ed24c260c5cfc20c61616e75db7d347f7a5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1943164 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#65301}
2019-12-02 17:40:02 +01:00 · 2019-12-02 17:40:02 +01:00 · c8ed19ac49
commit c8ed19ac49
parent a453f701af
3 changed files with 30 additions and 5 deletions
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@ -9213,8 +9213,14 @@ void CodeStubAssembler::TryLookupElement(Node* object, Node* map,
  }
  BIND(&if_isdictionary);
  {
-    // Negative keys must be converted to property names.
-    GotoIf(IntPtrLessThan(intptr_index, IntPtrConstant(0)), if_bailout);
+    // Negative and too-large keys must be converted to property names.
+    if (Is64()) {
+      GotoIf(UintPtrLessThan(IntPtrConstant(JSArray::kMaxArrayIndex),
+                             intptr_index),
+             if_bailout);
+    } else {
+      GotoIf(IntPtrLessThan(intptr_index, IntPtrConstant(0)), if_bailout);
+    }

    TVARIABLE(IntPtrT, var_entry);
    TNode<NumberDictionary> elements = CAST(LoadElements(object));
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@ -1903,10 +1903,11 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastGetOwnValuesOrEntries(
              JSObject::FastPropertyAt(object, representation, field_index);
        }
      } else {
+        LookupIterator it(isolate, object, next_key,
+                          LookupIterator::OWN_SKIP_INTERCEPTOR);
+        DCHECK_EQ(LookupIterator::ACCESSOR, it.state());
        ASSIGN_RETURN_ON_EXCEPTION_VALUE(
-            isolate, prop_value,
-            JSReceiver::GetProperty(isolate, object, next_key),
-            Nothing<bool>());
+            isolate, prop_value, Object::GetProperty(&it), Nothing<bool>());
        stable = object->map() == *map;
        *descriptors.location() = map->instance_descriptors().ptr();
      }
--- a/test/mjsunit/regress/large-indices.js
+++ b/test/mjsunit/regress/large-indices.js
@ -104,3 +104,21 @@
  v7[4294967297] = 1;
  const v8 = Object.assign({}, v7);
 })();
+
+// crbug.com/1029369
+(function () {
+  let obj = {};
+  function AddProperty(o, k) {
+    Object.defineProperty(o, k, {});
+    if (!o.hasOwnProperty(k)) throw "Bug!";
+  }
+  AddProperty(obj, "1");  // Force dictionary-mode elements.
+  AddProperty(obj, 4294967295);
+})();
+
+// crbug.com/1029338
+(function() {
+  var __v_11 = {};
+  __v_11.__defineGetter__(4294967295, function () {});
+  __v_12 = Object.entries(__v_11);
+})();