Revision: 3887
Author: [email protected]
Date: Wed Feb 17 05:04:30 2010
Log: Adding checks for the cases when array grows too big.
Review URL: http://codereview.chromium.org/601092
http://code.google.com/p/v8/source/detail?r=3887
Modified:
/branches/bleeding_edge/src/builtins.cc
/branches/bleeding_edge/test/mjsunit/array-splice.js
/branches/bleeding_edge/test/mjsunit/array-unshift.js
=======================================
--- /branches/bleeding_edge/src/builtins.cc Wed Feb 17 02:54:49 2010
+++ /branches/bleeding_edge/src/builtins.cc Wed Feb 17 05:04:30 2010
@@ -251,6 +251,9 @@
if (to_add == 0) {
return Smi::FromInt(len);
}
+ // Currently fixed arrays cannot grow too big, so
+ // we should never hit this case.
+ ASSERT(to_add <= (Smi::kMaxValue - len));
int new_length = len + to_add;
FixedArray* elms = FixedArray::cast(array->elements());
@@ -370,6 +373,10 @@
// the array.
int new_length = len + to_add;
+ // Currently fixed arrays cannot grow too big, so
+ // we should never hit this case.
+ ASSERT(to_add <= (Smi::kMaxValue - len));
+
FixedArray* elms = FixedArray::cast(array->elements());
// Fetch the prototype.
@@ -614,6 +621,10 @@
elms->set(k - 1, Heap::the_hole_value());
}
} else if (itemCount > actualDeleteCount) {
+ // Currently fixed arrays cannot grow too big, so
+ // we should never hit this case.
+ ASSERT((itemCount - actualDeleteCount) <= (Smi::kMaxValue - len));
+
FixedArray* source_elms = elms;
// Check if array need to grow.
=======================================
--- /branches/bleeding_edge/test/mjsunit/array-splice.js Wed Feb 17
02:54:49 2010
+++ /branches/bleeding_edge/test/mjsunit/array-splice.js Wed Feb 17
05:04:30 2010
@@ -268,3 +268,22 @@
assertFalse(array.hasOwnProperty(2 << 32 - 1));
}
})();
+
+
+// Check the behaviour when approaching maximal values for length.
+(function() {
+ for (var i = 0; i < 7; i++) {
+ try {
+ new Array((1 << 32) - 3).splice(-1, 0, 1, 2, 3, 4, 5);
+ throw 'Should have thrown RangeError';
+ } catch (e) {
+ assertTrue(e instanceof RangeError);
+ }
+
+ // Check smi boundary
+ var bigNum = (1 << 30) - 3;
+ var array = new Array(bigNum);
+ array.splice(-1, 0, 1, 2, 3, 4, 5, 6, 7);
+ assertEquals(bigNum + 7, array.length);
+ }
+})();
=======================================
--- /branches/bleeding_edge/test/mjsunit/array-unshift.js Mon Feb 15
05:25:06 2010
+++ /branches/bleeding_edge/test/mjsunit/array-unshift.js Wed Feb 17
05:04:30 2010
@@ -114,3 +114,19 @@
assertTrue(delete Array.prototype[5]);
assertTrue(delete Array.prototype[7]);
})();
+
+// Check the behaviour when approaching maximal values for length.
+(function() {
+ for (var i = 0; i < 7; i++) {
+ try {
+ new Array((1 << 32) - 3).unshift(1, 2, 3, 4, 5);
+ throw 'Should have thrown RangeError';
+ } catch (e) {
+ assertTrue(e instanceof RangeError);
+ }
+
+ // Check smi boundary
+ var bigNum = (1 << 30) - 3;
+ assertEquals(bigNum + 7, new Array(bigNum).unshift(1, 2, 3, 4, 5, 6,
7));
+ }
+})();
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
