More *_STRING_WRAPPER_ELEMENTS fixes

BUG=chromium:583257
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1651253003

Cr-Commit-Position: refs/heads/master@{#33683}
This commit is contained in:
jkummerow 2016-02-02 05:45:42 -08:00 committed by Commit bot
parent 7be5829971
commit d582d2bb2a
3 changed files with 38 additions and 6 deletions

View File

@ -144,7 +144,9 @@ void CopyObjectToObjectElements(FixedArrayBase* from_base,
DCHECK(IsFastSmiOrObjectElementsKind(to_kind));
WriteBarrierMode write_barrier_mode =
(IsFastObjectElementsKind(from_kind) && IsFastObjectElementsKind(to_kind))
((IsFastObjectElementsKind(from_kind) &&
IsFastObjectElementsKind(to_kind)) ||
from_kind == FAST_STRING_WRAPPER_ELEMENTS)
? UPDATE_WRITE_BARRIER
: SKIP_WRITE_BARRIER;
for (int i = 0; i < copy_size; i++) {
@ -2366,10 +2368,12 @@ class StringWrapperElementsAccessor
Handle<Object> value, PropertyAttributes attributes,
uint32_t new_capacity) {
DCHECK(index >= static_cast<uint32_t>(GetString(*object)->length()));
if ((KindTraits::Kind == FAST_STRING_WRAPPER_ELEMENTS &&
object->GetElementsKind() == SLOW_STRING_WRAPPER_ELEMENTS) ||
BackingStoreAccessor::GetCapacityImpl(*object, object->elements()) !=
new_capacity) {
// Explicitly grow fast backing stores if needed. Dictionaries know how to
// extend their capacity themselves.
if (KindTraits::Kind == FAST_STRING_WRAPPER_ELEMENTS &&
(object->GetElementsKind() == SLOW_STRING_WRAPPER_ELEMENTS ||
BackingStoreAccessor::GetCapacityImpl(*object, object->elements()) !=
new_capacity)) {
StringWrapperElementsAccessorSubclass::GrowCapacityAndConvertImpl(
object, new_capacity);
}

View File

@ -7908,7 +7908,8 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
if (transition != NULL) {
Handle<Map> transition_map(transition, isolate);
DCHECK(transition_map->has_dictionary_elements() ||
transition_map->has_fixed_typed_array_elements());
transition_map->has_fixed_typed_array_elements() ||
transition_map->elements_kind() == SLOW_STRING_WRAPPER_ELEMENTS);
DCHECK(!transition_map->is_extensible());
JSObject::MigrateToMap(object, transition_map);
} else if (TransitionArray::CanHaveMoreTransitions(old_map)) {

View File

@ -0,0 +1,27 @@
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Object.defineProperty(String.prototype, "0", { __v_1: 1});
Object.defineProperty(String.prototype, "3", { __v_1: 1});
(function () {
var s = new String();
function set(object, index, value) { object[index] = value; }
set(s, 10, "value");
set(s, 1073741823, "value");
})();
function __f_11() {
Object.preventExtensions(new String());
}
__f_11();
__f_11();
(function() {
var i = 10;
var a = new String("foo");
for (var j = 0; j < i; j++) {
a[j] = {};
}
})();