Use entry rather than index in ElementsAccessor::Set

src/elements.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/arguments.h"
 #include "src/conversions.h"
 #include "src/elements.h"
 #include "src/messages.h"
@@ skipping 556 matching lines @@
                                 Handle<FixedArrayBase> backing_store) {
     if (index <
         ElementsAccessorSubclass::GetCapacityImpl(*obj, *backing_store)) {
       return BackingStore::get(Handle<BackingStore>::cast(backing_store),
                                index);
     } else {
       return backing_store->GetIsolate()->factory()->the_hole_value();
     }
   }
 
-  virtual void Set(FixedArrayBase* backing_store, uint32_t index,
+  virtual void Set(FixedArrayBase* backing_store, uint32_t entry,
                    Object* value) final {
-    ElementsAccessorSubclass::SetImpl(backing_store, index, value);
+    ElementsAccessorSubclass::SetImpl(backing_store, entry, value);
   }
 
-  static void SetImpl(FixedArrayBase* backing_store, uint32_t index,
+  static void SetImpl(FixedArrayBase* backing_store, uint32_t entry,
                       Object* value) {
-    BackingStore::cast(backing_store)->SetValue(index, value);
+    BackingStore::cast(backing_store)->SetValue(entry, value);
   }
 
   virtual void Reconfigure(Handle<JSObject> object,
                            Handle<FixedArrayBase> store, uint32_t entry,
                            Handle<Object> value,
                            PropertyAttributes attributes) final {
     ElementsAccessorSubclass::ReconfigureImpl(object, store, entry, value,
                                               attributes);
   }
 
   static void ReconfigureImpl(Handle<JSObject> object,
                               Handle<FixedArrayBase> store, uint32_t entry,
                               Handle<Object> value,
                               PropertyAttributes attributes) {
     UNREACHABLE();
   }
 
-  virtual void Add(Handle<JSObject> object, uint32_t entry,
+  virtual void Add(Handle<JSObject> object, uint32_t index,
                    Handle<Object> value, PropertyAttributes attributes,
                    uint32_t new_capacity) final {
-    ElementsAccessorSubclass::AddImpl(object, entry, value, attributes,
+    ElementsAccessorSubclass::AddImpl(object, index, value, attributes,
                                       new_capacity);
   }
 
-  static void AddImpl(Handle<JSObject> object, uint32_t entry,
+  static void AddImpl(Handle<JSObject> object, uint32_t index,
                       Handle<Object> value, PropertyAttributes attributes,
                       uint32_t new_capacity) {
     UNREACHABLE();
   }
 
   virtual void SetLength(Handle<JSArray> array, uint32_t length) final {
     ElementsAccessorSubclass::SetLengthImpl(array, length,
                                             handle(array->elements()));
   }
 
@@ skipping 330 matching lines @@
     Handle<SeededNumberDictionary> backing_store =
         Handle<SeededNumberDictionary>::cast(store);
     Isolate* isolate = backing_store->GetIsolate();
     int entry = backing_store->FindEntry(index);
     if (entry != SeededNumberDictionary::kNotFound) {
       return handle(backing_store->ValueAt(entry), isolate);
     }
     return isolate->factory()->the_hole_value();
   }
 
-  static void SetImpl(FixedArrayBase* store, uint32_t index, Object* value) {
+  static void SetImpl(FixedArrayBase* store, uint32_t entry, Object* value) {
     SeededNumberDictionary* dictionary = SeededNumberDictionary::cast(store);
-    int entry = dictionary->FindEntry(index);
-    DCHECK_NE(SeededNumberDictionary::kNotFound, entry);
     dictionary->ValueAtPut(entry, value);
   }
 
   static void ReconfigureImpl(Handle<JSObject> object,
                               Handle<FixedArrayBase> store, uint32_t entry,
                               Handle<Object> value,
                               PropertyAttributes attributes) {
     SeededNumberDictionary* dictionary = SeededNumberDictionary::cast(*store);
     if (attributes != NONE) dictionary->set_requires_slow_elements();
     dictionary->ValueAtPut(entry, *value);
     PropertyDetails details = dictionary->DetailsAt(entry);
     details = PropertyDetails(attributes, DATA, details.dictionary_index(),
                               PropertyCellType::kNoCell);
     dictionary->DetailsAtPut(entry, details);
   }
 
-  static void AddImpl(Handle<JSObject> object, uint32_t entry,
+  static void AddImpl(Handle<JSObject> object, uint32_t index,
                       Handle<Object> value, PropertyAttributes attributes,
                       uint32_t new_capacity) {
     PropertyDetails details(attributes, DATA, 0, PropertyCellType::kNoCell);
     Handle<SeededNumberDictionary> dictionary =
         object->HasFastElements()
             ? JSObject::NormalizeElements(object)
             : handle(SeededNumberDictionary::cast(object->elements()));
     Handle<SeededNumberDictionary> new_dictionary =
-        SeededNumberDictionary::AddNumberEntry(dictionary, entry, value,
+        SeededNumberDictionary::AddNumberEntry(dictionary, index, value,
                                                details);
     if (attributes != NONE) new_dictionary->set_requires_slow_elements();
     if (dictionary.is_identical_to(new_dictionary)) return;
     object->set_elements(*new_dictionary);
   }
 
   static bool HasEntryImpl(FixedArrayBase* store, uint32_t entry) {
     DisallowHeapAllocation no_gc;
     SeededNumberDictionary* dict = SeededNumberDictionary::cast(store);
     Object* index = dict->KeyAt(entry);
@@ skipping 114 matching lines @@
                               Handle<FixedArrayBase> store, uint32_t entry,
                               Handle<Object> value,
                               PropertyAttributes attributes) {
     Handle<SeededNumberDictionary> dictionary =
         JSObject::NormalizeElements(object);
     entry = dictionary->FindEntry(entry);
     DictionaryElementsAccessor::ReconfigureImpl(object, dictionary, entry,
                                                 value, attributes);
   }
 
-  static void AddImpl(Handle<JSObject> object, uint32_t entry,
+  static void AddImpl(Handle<JSObject> object, uint32_t index,
                       Handle<Object> value, PropertyAttributes attributes,
                       uint32_t new_capacity) {
     DCHECK_EQ(NONE, attributes);
     ElementsKind from_kind = object->GetElementsKind();
     ElementsKind to_kind = FastElementsAccessorSubclass::kind();
     if (IsDictionaryElementsKind(from_kind) ||
         IsFastDoubleElementsKind(from_kind) !=
             IsFastDoubleElementsKind(to_kind) ||
         FastElementsAccessorSubclass::GetCapacityImpl(
             *object, object->elements()) != new_capacity) {
       FastElementsAccessorSubclass::GrowCapacityAndConvertImpl(object,
                                                                new_capacity);
     } else {
       if (from_kind != to_kind) {
         JSObject::TransitionElementsKind(object, to_kind);
       }
       if (IsFastSmiOrObjectElementsKind(from_kind)) {
         DCHECK(IsFastSmiOrObjectElementsKind(to_kind));
         JSObject::EnsureWritableFastElements(object);
       }
     }
-    FastElementsAccessorSubclass::SetImpl(object->elements(), entry, *value);
+    FastElementsAccessorSubclass::SetImpl(object->elements(), index, *value);
   }
 
   static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
     ElementsKind kind = KindTraits::Kind;
     if (IsFastPackedElementsKind(kind)) {
       JSObject::TransitionElementsKind(obj, GetHoleyElementsKind(kind));
     }
     if (IsFastSmiOrObjectElementsKind(KindTraits::Kind)) {
       JSObject::EnsureWritableFastElements(obj);
     }
@@ skipping 314 matching lines @@
         return result;
       }
     }
   }
 
   static void GrowCapacityAndConvertImpl(Handle<JSObject> object,
                                          uint32_t capacity) {
     UNREACHABLE();
   }
 
-  static void SetImpl(FixedArrayBase* store, uint32_t index, Object* value) {
+  static void SetImpl(FixedArrayBase* store, uint32_t entry, Object* value) {
     FixedArray* parameter_map = FixedArray::cast(store);
-    Object* probe = GetParameterMapArg(parameter_map, index);
-    if (!probe->IsTheHole()) {
+    uint32_t length = parameter_map->length() - 2;
+    if (entry < length) {
+      Object* probe = parameter_map->get(entry + 2);
       Context* context = Context::cast(parameter_map->get(0));
       int context_entry = Smi::cast(probe)->value();
       DCHECK(!context->get(context_entry)->IsTheHole());
       context->set(context_entry, value);
     } else {
       FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
-      ArgumentsAccessor::SetImpl(arguments, index, value);
+      ArgumentsAccessor::SetImpl(arguments, entry - length, value);
     }
   }
 
   static void SetLengthImpl(Handle<JSArray> array, uint32_t length,
                             Handle<FixedArrayBase> parameter_map) {
     // Sloppy arguments objects are not arrays.
     UNREACHABLE();
   }
 
   static uint32_t GetCapacityImpl(JSObject* holder,
@@ skipping 39 matching lines @@
     return (parameter_map->length() - 2) + entry;
   }
 
   static PropertyDetails GetDetailsImpl(FixedArrayBase* parameters,
                                         uint32_t entry) {
     FixedArray* parameter_map = FixedArray::cast(parameters);
     uint32_t length = parameter_map->length() - 2;
     if (entry < length) {
       return PropertyDetails(NONE, DATA, 0, PropertyCellType::kNoCell);
     }
-    entry -= length;
     FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
-    return ArgumentsAccessor::GetDetailsImpl(arguments, entry);
+    return ArgumentsAccessor::GetDetailsImpl(arguments, entry - length);
   }
 
   static Object* GetParameterMapArg(FixedArray* parameter_map, uint32_t index) {
     uint32_t length = parameter_map->length() - 2;
     return index < length
                ? parameter_map->get(index + 2)
                : Object::cast(parameter_map->GetHeap()->the_hole_value());
   }
 
   static void DeleteImpl(Handle<JSObject> obj, uint32_t entry) {
@@ skipping 115 matching lines @@
                       Handle<Object> value, PropertyAttributes attributes,
                       uint32_t new_capacity) {
     DCHECK_EQ(NONE, attributes);
     Handle<FixedArray> parameter_map(FixedArray::cast(object->elements()));
     Handle<FixedArrayBase> old_elements(
         FixedArrayBase::cast(parameter_map->get(1)));
     if (old_elements->IsSeededNumberDictionary() ||
         static_cast<uint32_t>(old_elements->length()) < new_capacity) {
       GrowCapacityAndConvertImpl(object, new_capacity);
     }
-    SetImpl(object->elements(), index, *value);
+    FixedArray* arguments = FixedArray::cast(parameter_map->get(1));
+    // For fast holey objects, the entry equals the index. The code above made
+    // sure that there's enough space to store the value. We cannot convert
+    // index to entry explicitly since the slot still contains the hole, so the
+    // current EntryForIndex would indicate that it is "absent" by returning
+    // kMaxUInt32.
+    FastHoleyObjectElementsAccessor::SetImpl(arguments, index, *value);
   }
 
   static void ReconfigureImpl(Handle<JSObject> object,
                               Handle<FixedArrayBase> store, uint32_t entry,
                               Handle<Object> value,
                               PropertyAttributes attributes) {
     Handle<SeededNumberDictionary> dictionary =
         JSObject::NormalizeElements(object);
     FixedArray::cast(*store)->set(1, *dictionary);
     uint32_t length = static_cast<uint32_t>(store->length()) - 2;
@@ skipping 235 matching lines @@
 #define ACCESSOR_DELETE(Class, Kind, Store) delete elements_accessors_[Kind];
   ELEMENTS_LIST(ACCESSOR_DELETE)
 #undef ACCESSOR_DELETE
   elements_accessors_ = NULL;
 }
 
 
 ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL;
 }  // namespace internal
 }  // namespace v8