Fix Object.freeze on dictionary-backed arrays to properly freeze elements

src/objects.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 5390 matching lines @@
   if (!elements()->IsDictionary()) {
     int length = IsJSArray()
         ? Smi::cast(JSArray::cast(this)->length())->value()
         : elements()->length();
     if (length > 0) {
       int capacity = 0;
       int used = 0;
       GetElementsCapacityAndUsage(&capacity, &used);
       MaybeObject* maybe_dict = SeededNumberDictionary::Allocate(heap, used);
       if (!maybe_dict->To(&new_element_dictionary)) return maybe_dict;
-      // Make sure that we never go back to fast case.
-      new_element_dictionary->set_requires_slow_elements();
 
       // Move elements to a dictionary; avoid calling NormalizeElements to avoid
       // unnecessary transitions.
       maybe_dict = CopyFastElementsToDictionary(isolate, elements(), length,
                                                 new_element_dictionary);
       if (!maybe_dict->To(&new_element_dictionary)) return maybe_dict;
-
-      // Freeze all the elements in the dictionary.
-      FreezeDictionary(new_element_dictionary);
     } else {
       // No existing elements, use a pre-allocated empty backing store
       new_element_dictionary = heap->empty_slow_element_dictionary();
     }
   }
 
   LookupResult result(isolate);
   map()->LookupTransition(this, heap->frozen_symbol(), &result);
   if (result.IsTransition()) {
     Map* transition_map = result.GetTransitionTarget();
@@ skipping 31 matching lines @@
     new_map->freeze();
     new_map->set_is_extensible(false);
     new_map->set_elements_kind(DICTIONARY_ELEMENTS);
     set_map(new_map);
 
     // Freeze dictionary-mode properties
     FreezeDictionary(property_dictionary());
   }
 
   ASSERT(map()->has_dictionary_elements());
-  if (new_element_dictionary != NULL)
+  if (new_element_dictionary != NULL) {
     set_elements(new_element_dictionary);
+  }
+
+  if (elements() != heap->empty_slow_element_dictionary()) {
+    SeededNumberDictionary* dictionary = element_dictionary();
+    // Make sure we never go back to the fast case
+    dictionary->set_requires_slow_elements();
+    // Freeze all elements in the dictionary
+    FreezeDictionary(dictionary);
+  }
 
   return this;
 }
 
 
 MUST_USE_RESULT MaybeObject* JSObject::DeepCopy(Isolate* isolate) {
   StackLimitCheck check(isolate);
   if (check.HasOverflowed()) return isolate->StackOverflow();
 
   if (map()->is_deprecated()) {
@@ skipping 10114 matching lines @@
   set_year(Smi::FromInt(year), SKIP_WRITE_BARRIER);
   set_month(Smi::FromInt(month), SKIP_WRITE_BARRIER);
   set_day(Smi::FromInt(day), SKIP_WRITE_BARRIER);
   set_weekday(Smi::FromInt(weekday), SKIP_WRITE_BARRIER);
   set_hour(Smi::FromInt(hour), SKIP_WRITE_BARRIER);
   set_min(Smi::FromInt(min), SKIP_WRITE_BARRIER);
   set_sec(Smi::FromInt(sec), SKIP_WRITE_BARRIER);
 }
 
 } }  // namespace v8::internal