Prevent fast access mode arrays from low-level property management methods (#3047)

This patch fixes #3043 and fixes #3045 and fixes #3046.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu

jerry-core/ecma/operations/ecma-array-object.c

@@ -943,6 +943,19 @@ ecma_op_array_object_set_length (ecma_object_t *object_p, /**< the array object
   return ecma_reject (is_throw);
 } /* ecma_op_array_object_set_length */
 
+/**
+ * Property descriptor bitset for fast array data properties.
+ * If the property desciptor fields contains all the flags below
+ * attempt to stay fast access array during [[DefineOwnProperty]] operation.
+ */
+#define ECMA_FAST_ARRAY_DATA_PROP_FLAGS (ECMA_PROP_IS_VALUE_DEFINED \
+                                         | ECMA_PROP_IS_ENUMERABLE_DEFINED \
+                                         | ECMA_PROP_IS_ENUMERABLE \
+                                         | ECMA_PROP_IS_CONFIGURABLE_DEFINED \
+                                         | ECMA_PROP_IS_CONFIGURABLE \
+                                         | ECMA_PROP_IS_WRITABLE_DEFINED \
+                                         | ECMA_PROP_IS_WRITABLE)
+
 /**
  * [[DefineOwnProperty]] ecma array object's operation
  *
@@ -1009,13 +1022,24 @@ ecma_op_array_object_define_own_property (ecma_object_t *object_p, /**< the arra
 
   ecma_extended_object_t *ext_object_p = (ecma_extended_object_t *) object_p;
 
-  /* Note for further optimization: for enumerable, configurable, writable data properties
-     it's not necessary to convert it back to normal property list based array */
-  if (JERRY_UNLIKELY (ext_object_p->u.array.is_fast_mode))
+  if (ext_object_p->u.array.is_fast_mode)
   {
-    ecma_fast_array_convert_to_normal (object_p);
+    if ((property_desc_p->flags & ECMA_FAST_ARRAY_DATA_PROP_FLAGS) == ECMA_FAST_ARRAY_DATA_PROP_FLAGS)
+    {
+      if (ecma_fast_array_set_property (object_p, property_name_p, property_desc_p->value))
+      {
+        return ECMA_VALUE_TRUE;
+      }
+
+      JERRY_ASSERT (!ext_object_p->u.array.is_fast_mode);
+    }
+    else
+    {
+      ecma_fast_array_convert_to_normal (object_p);
+    }
   }
 
+  JERRY_ASSERT (!ext_object_p->u.array.is_fast_mode);
   uint32_t index = ecma_string_get_array_index (property_name_p);
 
   if (index == ECMA_STRING_NOT_ARRAY_INDEX)

jerry-core/ecma/operations/ecma-container-object.c

@@ -245,10 +245,16 @@ ecma_op_container_to_key (ecma_value_t key_arg) /**< key argument */
   {
     ecma_object_t *obj_p = ecma_get_object_from_value (key_arg);
     ecma_string_t *key_string_p = ecma_get_magic_string (LIT_INTERNAL_MAGIC_STRING_MAP_KEY);
-    ecma_property_t *property_p = ecma_find_named_property (obj_p, key_string_p);
+
+    ecma_property_ref_t property_ref;
+    ecma_property_t property = ecma_op_object_get_own_property (obj_p,
+                                                                key_string_p,
+                                                                &property_ref,
+                                                                ECMA_PROPERTY_GET_NO_OPTIONS);
+
     ecma_string_t *object_key_string;
 
-    if (property_p == NULL)
+    if (property == ECMA_PROPERTY_TYPE_NOT_FOUND || property == ECMA_PROPERTY_TYPE_NOT_FOUND_AND_STOP)
     {
       object_key_string = ecma_new_map_key_string (key_arg);
       ecma_value_t put_comp = ecma_builtin_helper_def_prop (obj_p,
@@ -261,7 +267,7 @@ ecma_op_container_to_key (ecma_value_t key_arg) /**< key argument */
     }
     else
     {
-      object_key_string = ecma_get_string_from_value (ECMA_PROPERTY_VALUE_PTR (property_p)->value);
+      object_key_string = ecma_get_string_from_value (property_ref.value_p->value);
     }
 
     ecma_ref_ecma_string (object_key_string);
@@ -383,7 +389,7 @@ ecma_value_t
 ecma_op_container_set (ecma_value_t this_arg, /**< this argument */
                        ecma_value_t key_arg, /**< key argument */
                        ecma_value_t value_arg, /**< value argument */
-                      lit_magic_string_id_t lit_id) /**< internal class id */
+                       lit_magic_string_id_t lit_id) /**< internal class id */
 {
   ecma_map_object_t *map_object_p = ecma_op_container_get_object (this_arg, lit_id);
 

jerry-core/ecma/operations/ecma-objects-general.c

@@ -284,6 +284,8 @@ ecma_op_general_object_define_own_property (ecma_object_t *object_p, /**< the ob
 {
   JERRY_ASSERT (object_p != NULL
                 && !ecma_is_lexical_environment (object_p));
+  JERRY_ASSERT (ecma_get_object_type (object_p) != ECMA_OBJECT_TYPE_ARRAY
+                || !((ecma_extended_object_t *) object_p)->u.array.is_fast_mode);
   JERRY_ASSERT (property_name_p != NULL);
 
   ecma_property_types_t property_desc_type = ECMA_PROPERTY_TYPE_GENERIC;

jerry-core/ecma/operations/ecma-objects.c

@@ -744,6 +744,10 @@ inline ecma_value_t JERRY_ATTR_ALWAYS_INLINE
 ecma_op_object_get_own_data_prop (ecma_object_t *object_p, /**< the object */
                                   ecma_string_t *property_name_p) /**< property name */
 {
+  JERRY_ASSERT (ecma_is_lexical_environment (object_p)
+                || ecma_get_object_type (object_p) != ECMA_OBJECT_TYPE_ARRAY
+                || !((ecma_extended_object_t *) object_p)->u.array.is_fast_mode);
+
   ecma_value_t result = ecma_op_object_find_own (ecma_make_object_value (object_p),
                                                  object_p,
                                                  property_name_p);

jerry-core/ecma/operations/ecma-regexp-object.c

@@ -1395,6 +1395,8 @@ ecma_regexp_exec_helper (ecma_value_t regexp_value, /**< RegExp object */
           capture_value = ecma_make_string_value (capture_str_p);
         }
 
+        JERRY_ASSERT (!((ecma_extended_object_t *) result_array_obj_p)->u.array.is_fast_mode);
+
         ecma_property_value_t *prop_value_p;
         prop_value_p = ecma_create_named_data_property (result_array_obj_p,
                                                         index_str_p,