Revision: 25190
Author: [email protected]
Date: Thu Nov 6 12:55:52 2014 UTC
Log: Allow JSArray fast moving elements even if the array's proto
isn't Array.prototype in original state
Otherwise array builtins don't work on internal arrays.
BUG=v8:3681
LOG=n
[email protected], [email protected]
Review URL: https://codereview.chromium.org/706703005
https://code.google.com/p/v8/source/detail?r=25190
Modified:
/branches/bleeding_edge/src/builtins.cc
/branches/bleeding_edge/test/mjsunit/mjsunit.status
=======================================
--- /branches/bleeding_edge/src/builtins.cc Mon Nov 3 14:05:57 2014 UTC
+++ /branches/bleeding_edge/src/builtins.cc Thu Nov 6 12:55:52 2014 UTC
@@ -182,23 +182,16 @@
}
-static bool ArrayPrototypeHasNoElements(Heap* heap,
- Context* native_context,
- JSObject* array_proto) {
+static bool ArrayPrototypeHasNoElements(Heap* heap, PrototypeIterator*
iter) {
DisallowHeapAllocation no_gc;
- // This method depends on non writability of Object and Array prototype
- // fields.
- if (array_proto->elements() != heap->empty_fixed_array()) return false;
- // Object.prototype
- PrototypeIterator iter(heap->isolate(), array_proto);
- if (iter.IsAtEnd()) {
- return false;
+ for (; !iter->IsAtEnd(); iter->Advance()) {
+ if (iter->GetCurrent()->IsJSProxy()) return false;
+ if (JSObject::cast(iter->GetCurrent())->elements() !=
+ heap->empty_fixed_array()) {
+ return false;
+ }
}
- array_proto = JSObject::cast(iter.GetCurrent());
- if (array_proto != native_context->initial_object_prototype()) return
false;
- if (array_proto->elements() != heap->empty_fixed_array()) return false;
- iter.Advance();
- return iter.IsAtEnd();
+ return true;
}
@@ -206,12 +199,8 @@
JSArray* receiver) {
if (!FLAG_clever_optimizations) return false;
DisallowHeapAllocation no_gc;
- Context* native_context = heap->isolate()->context()->native_context();
- JSObject* array_proto =
- JSObject::cast(native_context->array_function()->prototype());
PrototypeIterator iter(heap->isolate(), receiver);
- return iter.GetCurrent() == array_proto &&
- ArrayPrototypeHasNoElements(heap, native_context, array_proto);
+ return ArrayPrototypeHasNoElements(heap, &iter);
}
@@ -920,9 +909,10 @@
DisallowHeapAllocation no_gc;
Heap* heap = isolate->heap();
Context* native_context = isolate->context()->native_context();
- JSObject* array_proto =
- JSObject::cast(native_context->array_function()->prototype());
- if (!ArrayPrototypeHasNoElements(heap, native_context, array_proto)) {
+ Object* array_proto = native_context->array_function()->prototype();
+ PrototypeIterator iter(isolate, array_proto,
+ PrototypeIterator::START_AT_RECEIVER);
+ if (!ArrayPrototypeHasNoElements(heap, &iter)) {
AllowHeapAllocation allow_allocation;
return CallJsBuiltin(isolate, "ArrayConcatJS", args);
}
=======================================
--- /branches/bleeding_edge/test/mjsunit/mjsunit.status Thu Nov 6 11:52:45
2014 UTC
+++ /branches/bleeding_edge/test/mjsunit/mjsunit.status Thu Nov 6 12:55:52
2014 UTC
@@ -74,16 +74,13 @@
# Some tests are just too slow to run for now.
'bit-not': [PASS, NO_VARIANTS],
+ 'json2': [PASS, NO_VARIANTS],
'packed-elements': [PASS, NO_VARIANTS],
'unbox-double-arrays': [PASS, NO_VARIANTS],
'whitespaces': [PASS, NO_VARIANTS],
'compiler/osr-assert': [PASS, NO_VARIANTS],
'regress/regress-2185-2': [PASS, NO_VARIANTS],
- # BUG(3681). Skipping in 64 bits debug is part of the bug report.
- # Running no variants was the default.
- 'json2': [PASS, NO_VARIANTS, ['mode == debug and (arch == x64 or arch ==
arm64 or arch == android_arm64 or arch == mips64el)', SKIP]],
-
# Issue 3660: Replacing activated TurboFan frames by unoptimized code
does
# not work, but we expect it to not crash.
'debug-step-turbofan': [PASS, FAIL],
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
