[runtime] sort transition array after it grows beyond linear search size

Previously TransitionsAccessor::InsertHelper() can grow the transition
array without making sure it's sorted after the size crosses
kMaxElementsForLinearSearch, leading to search failures or
duplicate entries in bigger transition arrays.

See nodejs/node#61002 (comment)

Change-Id: I3f45816b7d65bbbcfedeb7074d0c6907cbc08edf

Author: joyeecheung

src/objects/transitions.cc

@@ -173,6 +173,11 @@ void TransitionsAccessor::InsertHelper(Isolate* isolate, DirectHandle<Map> map,
       }
       array->SetKey(insertion_index, *name);
       array->SetRawTarget(insertion_index, MakeWeak(*target));
+      // The new size exceeds the threshold for linear search, sort the array
+      // for binary search later.
+      // if (new_nof == TransitionArray::kMaxElementsForLinearSearch + 1) {
+      //   array->Sort();
+      // }
       SLOW_DCHECK(array->IsSortedNoDuplicates());
       return;
     }
@@ -222,6 +227,11 @@ void TransitionsAccessor::InsertHelper(Isolate* isolate, DirectHandle<Map> map,
     result->Set(i + 1, array->GetKey(i), array->GetRawTarget(i));
   }
 
+  // The new size exceeds the threshold for linear search, sort the array
+  // for binary search later.
+  // if (new_nof == TransitionArray::kMaxElementsForLinearSearch + 1) {
+  //   result->Sort();
+  // }
   SLOW_DCHECK(result->IsSortedNoDuplicates());
   ReplaceTransitions(isolate, map, result);
 }

test/cctest/test-transitions.cc

@@ -8,6 +8,7 @@
 
 #include <utility>
 
+#include "src/api/api-inl.h"
 #include "src/codegen/compilation-cache.h"
 #include "src/execution/execution.h"
 #include "src/heap/factory.h"
@@ -316,5 +317,39 @@ TEST(TransitionArray_SameFieldNamesDifferentAttributes) {
   DCHECK(transitions.IsSortedNoDuplicates());
 }
 
+TEST(TransitionArray_InsertionAfterLinearThreshold) {
+  CcTest::InitializeVM();
+  v8::Isolate* isolate = CcTest::isolate();
+  Isolate* i_isolate = CcTest::i_isolate();
+  v8::HandleScope scope(isolate);
+
+  // A shuffled permuatation of the characters so that we can insert transitions
+  // and check that they are sorted after ht
+  std::string names = "HNkgAQeqBsnyCDEOiPFRUxfwcIKtlVZTMYbdvJpLhXmouzrGajSW";
+  std::reverse(names.begin(), names.end());
+  CHECK_GT(names.size(), TransitionArray::kMaxElementsForLinearSearch);
+  v8::Local<v8::Context> context = isolate->GetCurrentContext();
+  DirectHandle<Map> first_map;
+  int len = static_cast<int>(names.size());
+  for (int i = 0; i < len; i++) {
+    v8::Local<v8::Object> obj = v8::Object::New(isolate);
+    if (i == 0) {
+      first_map =
+          direct_handle(v8::Utils::OpenDirectHandle(*obj)->map(), i_isolate);
+    }
+    v8::Local<v8::String> name =
+        v8::String::NewFromOneByte(isolate,
+                                   reinterpret_cast<const uint8_t*>(&names[i]),
+                                   v8::NewStringType::kNormal, 1)
+            .ToLocalChecked();
+    obj->Set(context, name, v8::Integer::New(isolate, i)).Check();
+    DirectHandle<Map> current_map(v8::Utils::OpenDirectHandle(*obj)->map(),
+                                  i_isolate);
+  }
+  TestTransitionsAccessor transitions(i_isolate, first_map);
+  CHECK_EQ(names.size(), transitions.NumberOfTransitions());
+  CHECK(transitions.transitions()->IsSortedNoDuplicates());
+}
+
 }  // namespace internal
 }  // namespace v8