From fb320bf185015aceeabb8b7fb13badfaf6a475a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 25 Mar 2017 15:01:10 +0100 Subject: [PATCH] deps: backport e427300 from upstream V8 Original commit message: Properly handle holes following spreads in array literals Before this change, the spread desugaring would naively call `%AppendElement($R, the_hole)` and in some cases $R would have a non-holey elements kind, putting the array into the bad state of exposing holes to author code. This patch avoids calling %AppendElement with a hole, instead simply incrementing $R.length when it sees a hole in the literal (this is safe because $R is known to be an Array). The existing logic for elements transitions takes care of giving the array a holey ElementsKind. BUG=chromium:644215 Review-Url: https://codereview.chromium.org/2321533003 Cr-Commit-Position: refs/heads/master@{#39294} Fixes: https://github.com/nodejs/node/issues/12018 PR-URL: https://github.com/nodejs/node/pull/12037 Reviewed-By: Ben Noordhuis Reviewed-By: Myles Borins --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/ast/ast-value-factory.h | 1 + deps/v8/src/parsing/parser.cc | 37 ++++++++++++++----- deps/v8/src/runtime/runtime-object.cc | 1 + .../mjsunit/regress/regress-crbug-644215.js | 13 +++++++ 5 files changed, 44 insertions(+), 10 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-644215.js diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index d281773473a019..21d2a6ae9e2655 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 5 #define V8_MINOR_VERSION 1 #define V8_BUILD_NUMBER 281 -#define V8_PATCH_LEVEL 97 +#define V8_PATCH_LEVEL 98 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/ast/ast-value-factory.h b/deps/v8/src/ast/ast-value-factory.h index 8b3f0ed252c7e6..11851535f01d3b 100644 --- a/deps/v8/src/ast/ast-value-factory.h +++ b/deps/v8/src/ast/ast-value-factory.h @@ -257,6 +257,7 @@ class AstValue : public ZoneObject { F(eval, "eval") \ F(function, "function") \ F(get_space, "get ") \ + F(length, "length") \ F(let, "let") \ F(native, "native") \ F(new_target, ".new.target") \ diff --git a/deps/v8/src/parsing/parser.cc b/deps/v8/src/parsing/parser.cc index bbb75de3ea3dab..7f1303cedb3cde 100644 --- a/deps/v8/src/parsing/parser.cc +++ b/deps/v8/src/parsing/parser.cc @@ -5582,16 +5582,35 @@ Expression* Parser::RewriteSpreads(ArrayLiteral* lit) { if (spread == nullptr) { // If the element is not a spread, we're adding a single: // %AppendElement($R, value) - ZoneList* append_element_args = NewExpressionList(2, zone()); - append_element_args->Add(factory()->NewVariableProxy(result), zone()); - append_element_args->Add(value, zone()); - do_block->statements()->Add( - factory()->NewExpressionStatement( - factory()->NewCallRuntime(Runtime::kAppendElement, - append_element_args, + // or, in case of a hole, + // ++($R.length) + if (!value->IsLiteral() || + !value->AsLiteral()->raw_value()->IsTheHole()) { + ZoneList* append_element_args = + NewExpressionList(2, zone()); + append_element_args->Add(factory()->NewVariableProxy(result), zone()); + append_element_args->Add(value, zone()); + do_block->statements()->Add( + factory()->NewExpressionStatement( + factory()->NewCallRuntime(Runtime::kAppendElement, + append_element_args, + RelocInfo::kNoPosition), + RelocInfo::kNoPosition), + zone()); + } else { + Property* length_property = factory()->NewProperty( + factory()->NewVariableProxy(result), + factory()->NewStringLiteral(ast_value_factory()->length_string(), RelocInfo::kNoPosition), - RelocInfo::kNoPosition), - zone()); + RelocInfo::kNoPosition); + CountOperation* count_op = factory()->NewCountOperation( + Token::INC, true /* prefix */, length_property, + RelocInfo::kNoPosition); + do_block->statements()->Add( + factory()->NewExpressionStatement(count_op, + RelocInfo::kNoPosition), + zone()); + } } else { // If it's a spread, we're adding a for/of loop iterating through it. Variable* each = diff --git a/deps/v8/src/runtime/runtime-object.cc b/deps/v8/src/runtime/runtime-object.cc index 5bdb08541f18d5..bc42b7c7fcca8b 100644 --- a/deps/v8/src/runtime/runtime-object.cc +++ b/deps/v8/src/runtime/runtime-object.cc @@ -543,6 +543,7 @@ RUNTIME_FUNCTION(Runtime_AppendElement) { CONVERT_ARG_HANDLE_CHECKED(JSArray, array, 0); CONVERT_ARG_HANDLE_CHECKED(Object, value, 1); + CHECK(!value->IsTheHole()); uint32_t index; CHECK(array->length()->ToArrayIndex(&index)); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-644215.js b/deps/v8/test/mjsunit/regress/regress-crbug-644215.js new file mode 100644 index 00000000000000..c74112542d8af2 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-644215.js @@ -0,0 +1,13 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +var arr = [...[],,]; +assertTrue(%HasFastHoleyElements(arr)); +assertEquals(1, arr.length); +assertFalse(arr.hasOwnProperty(0)); +assertEquals(undefined, arr[0]); +// Should not crash. +assertThrows(() => arr[0][0], TypeError);