Reviewers: , Message: Mads,
here promised CL. Technically that fixes a bug in ArrayPush (then you have an array in fast element mode and try to add some elements so that new length doesn't fit Smi...), but I doubt we ever see this in practice. Still probably needs a treatment. I hope it have negligible perf impact, but would double check later. http://codereview.chromium.org/601092/diff/1/2 File src/builtins.cc (right): http://codereview.chromium.org/601092/diff/1/2#newcode624 src/builtins.cc:624: if ((itemCount - actualDeleteCount) > (Smi::kMaxValue - len)) { calling that late, after result array has been created and populated might be a bad idea, but this case hopefully shouldn't be hit often http://codereview.chromium.org/601092/diff/1/3 File test/mjsunit/array-splice.js (right): http://codereview.chromium.org/601092/diff/1/3#newcode283 test/mjsunit/array-splice.js:283: // Check smi boundary Technically we should have grown array to this boundary keeping it in fast elements mode, but, alas, that takes too long. Description: Adding checks for the cases when array grows too big. Please review this at http://codereview.chromium.org/601092 Affected files: M src/builtins.cc M test/mjsunit/array-splice.js M test/mjsunit/array-unshift.js -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
