[elements] update Dictionary in IncludesValue if own elements change

src/elements.cc

Index: src/elements.cc
diff --git a/src/elements.cc b/src/elements.cc
index 20e358848a7938c1a13eb7d2126777847dd309e3..25fbc0de9646fcd80210762aaecc2a62f5adb571 100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -1519,7 +1519,7 @@ class DictionaryElementsAccessor
         continue;
       }
 
-      PropertyDetails details = GetDetailsImpl(receiver->elements(), entry);
+      PropertyDetails details = GetDetailsImpl(*dictionary, entry);
       switch (details.kind()) {
         case kData: {
           Object* element_k = dictionary->ValueAt(entry);
@@ -1539,9 +1539,10 @@ class DictionaryElementsAccessor
 
           if (value->SameValueZero(*element_k)) return Just(true);
 
-          // Some mutation to the prototype elements may have occurred in
-          // accessor.
-          if (!JSObject::PrototypeHasNoElements(isolate, *receiver)) {
+          // Some mutation to prototype or own elements may have occurred in the
+          // accessor. If so, bailout to slow path.
+          if (*dictionary != receiver->elements() ||

[Camillo Bruni, 2016/08/04 15:51:57]

as long as we stay in dictionary mode (which is always the case as we do not
migrate dict-elements to fast elements) you could just refresh the dictionary
(probably won't matter though in this corner case).

[caitp, 2016/08/04 16:13:06]

You're saying the elements kind can't change, so just update the handle instead
of bailing out, right? will do

[caitp, 2016/08/04 17:01:58]

This seems to be untrue, JSObject::ResetElements() (called if `length` is 0 in
ElementsAccessor::SetLength()) can reset the elements kind and fixed array to
something empty. There might be other cases that could break, too.

+              !JSObject::PrototypeHasNoElements(isolate, *receiver)) {
             return IncludesValueSlowPath(isolate, receiver, value, k + 1,
                                          length);
           }