Fix deadlock when promoting to ThreadSafeHashSlotMap

The implementation of thread-safe slot map promotion done in
mozilla#1785 has a critical bug:
appending enough properties to an object created with the thread-safe
slot maps will cause a promotion to `ThreadSafeHashSlotMap`, which
will deadlock.

I have added a test that reproduces the problem and a fix for it.

Author: andreabergia

rhino/src/main/java/org/mozilla/javascript/EmbeddedSlotMap.java

@@ -131,7 +131,7 @@ private void createNewSlot(SlotMapOwner owner, Slot newSlot) {
         // Check if the table is not too full before inserting.
         if (4 * (count + 1) > 3 * slots.length) {
             // table size must be a power of 2 -- always grow by x2!
-            if (count > SlotMapOwner.LARGE_HASH_SIZE) {
+            if (count >= SlotMapOwner.LARGE_HASH_SIZE) {
                 promoteMap(owner, newSlot);
                 return;
             }

rhino/src/main/java/org/mozilla/javascript/SlotMapOwner.java

@@ -10,7 +10,12 @@
 public abstract class SlotMapOwner {
     private static final long serialVersionUID = 1L;
 
-    static final int LARGE_HASH_SIZE = 2000;
+    /**
+     * Maximum size of an {@link EmbeddedSlotMap} before it is promoted to a {@link HashSlotMap}.
+     * The value must be 3/4 of a power of two, because the embedded slot map's slot size must be a
+     * power of two, and it is resized when it is 3/4 full.
+     */
+    static final int LARGE_HASH_SIZE = (1 << 10) + (1 << 9);
 
     static final SlotMap EMPTY_SLOT_MAP = new EmptySlotMap();
 

rhino/src/main/java/org/mozilla/javascript/ThreadSafeEmbeddedSlotMap.java

@@ -34,7 +34,7 @@ public int size() {
 
     @Override
     public int dirtySize() {
-        assert lock.isReadLocked();
+        assert lock.isReadLocked() || lock.isWriteLocked();
         return current.sizeWithLock();
     }
 

rhino/src/main/java/org/mozilla/javascript/ThreadSafeHashSlotMap.java

@@ -26,7 +26,7 @@ public ThreadSafeHashSlotMap(StampedLock lock, SlotMap oldMap) {
     }
 
     public ThreadSafeHashSlotMap(StampedLock lock, SlotMap oldMap, Slot newSlot) {
-        super(oldMap.size() + 1);
+        super(oldMap.dirtySize() + 1);
         this.lock = lock;
         for (Slot n : oldMap) {
             addWithLock(null, n.copySlot());
@@ -52,7 +52,7 @@ public int size() {
 
     @Override
     public int dirtySize() {
-        assert lock.isReadLocked();
+        assert lock.isReadLocked() || lock.isWriteLocked();
         return super.size();
     }
 

rhino/src/test/java/org/mozilla/javascript/SlotMapPromotionTest.java

@@ -0,0 +1,80 @@
+package org.mozilla.javascript;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.function.Supplier;
+import org.junit.jupiter.api.Test;
+
+/** Ensures that slot map promotion */
+class SlotMapPromotionTest {
+    @Test
+    public void promotionFromEmptyToSingleSlot() {
+        assertPromotes(() -> SlotMapOwner.EMPTY_SLOT_MAP, SlotMapOwner.SingleEntrySlotMap.class);
+    }
+
+    @Test
+    public void promotionFromSingleToEmbedded() {
+        assertPromotes(
+                () -> new SlotMapOwner.SingleEntrySlotMap(new Slot(new Object(), 0, 0)),
+                EmbeddedSlotMap.class);
+    }
+
+    @Test
+    public void promotionFromEmbeddedToHash() {
+        assertPromotes(
+                () -> {
+                    var map = new EmbeddedSlotMap(SlotMapOwner.LARGE_HASH_SIZE);
+                    fillToCapacity(SlotMapOwner.LARGE_HASH_SIZE, map);
+                    return map;
+                },
+                HashSlotMap.class);
+    }
+
+    @Test
+    public void promotionFromThreadSafeEmptyToSingleSlot() {
+        assertPromotes(
+                () -> SlotMapOwner.THREAD_SAFE_EMPTY_SLOT_MAP,
+                SlotMapOwner.ThreadSafeSingleEntrySlotMap.class);
+    }
+
+    @Test
+    public void promotionFromThreadSafeSingleToEmbedded() {
+        assertPromotes(
+                () -> new SlotMapOwner.ThreadSafeSingleEntrySlotMap(new Slot(new Object(), 0, 0)),
+                ThreadSafeEmbeddedSlotMap.class);
+    }
+
+    @Test
+    public void promotionFromThreadSafeEmbeddedToHash() {
+        assertPromotes(
+                () -> {
+                    var map = new ThreadSafeEmbeddedSlotMap();
+                    fillToCapacity(SlotMapOwner.LARGE_HASH_SIZE, map);
+                    return map;
+                },
+                ThreadSafeHashSlotMap.class);
+    }
+
+    private static void fillToCapacity(int size, EmbeddedSlotMap map) {
+        for (int i = 0; i < size; ++i) {
+            map.add(null, new Slot(Integer.toString(i), i, 0));
+        }
+    }
+
+    private void assertPromotes(
+            Supplier<SlotMap> slotMapSupplier, Class<? extends SlotMap> expectedClass) {
+        ScriptableObject obj = new TestScriptableObject();
+        obj.setMap(slotMapSupplier.get());
+
+        // Add one more slot to ensure the promotion
+        obj.put("xxx", obj, "one more property");
+
+        assertEquals(expectedClass, obj.getMap().getClass());
+    }
+
+    private static class TestScriptableObject extends ScriptableObject {
+        public String getClassName() {
+            return "foo";
+        }
+    }
+}