Revision: 4459
Author: [email protected]
Date: Wed Apr 21 03:24:56 2010
Log: Port bugfix in revision 4449 to 2.1 branch.
Review URL: http://codereview.chromium.org/1725002
http://code.google.com/p/v8/source/detail?r=4459
Modified:
/branches/2.1/src/runtime.cc
/branches/2.1/src/string.js
/branches/2.1/src/version.cc
=======================================
--- /branches/2.1/src/runtime.cc Tue Mar 30 07:14:28 2010
+++ /branches/2.1/src/runtime.cc Wed Apr 21 03:24:56 2010
@@ -1705,8 +1705,6 @@
void AddSubjectSlice(int from, int to) {
AddSubjectSlice(&array_builder_, from, to);
- // Can we encode the slice in 11 bits for length and 19 bits for
- // start position - as used by StringBuilderConcatHelper?
IncrementCharacterCount(to - from);
}
@@ -5307,7 +5305,7 @@
}
-template<typename sinkchar>
+template <typename sinkchar>
static inline void StringBuilderConcatHelper(String* special,
sinkchar* sink,
FixedArray* fixed_array,
@@ -5378,33 +5376,41 @@
bool ascii = special->IsAsciiRepresentation();
int position = 0;
- int increment = 0;
for (int i = 0; i < array_length; i++) {
+ int increment = 0;
Object* elt = fixed_array->get(i);
if (elt->IsSmi()) {
// Smi encoding of position and length.
- int len = Smi::cast(elt)->value();
- if (len > 0) {
+ int smi_value = Smi::cast(elt)->value();
+ int pos;
+ int len;
+ if (smi_value > 0) {
// Position and length encoded in one smi.
- int pos = len >> 11;
- len &= 0x7ff;
- if (pos + len > special_length) {
- return Top::Throw(Heap::illegal_argument_symbol());
- }
- increment = len;
+ pos = StringBuilderSubstringPosition::decode(smi_value);
+ len = StringBuilderSubstringLength::decode(smi_value);
} else {
// Position and length encoded in two smis.
- increment = (-len);
- // Get the position and check that it is also a smi.
+ len = -smi_value;
+ // Get the position and check that it is a positive smi.
i++;
if (i >= array_length) {
return Top::Throw(Heap::illegal_argument_symbol());
}
- Object* pos = fixed_array->get(i);
- if (!pos->IsSmi()) {
+ Object* next_smi = fixed_array->get(i);
+ if (!next_smi->IsSmi()) {
return Top::Throw(Heap::illegal_argument_symbol());
}
- }
+ pos = Smi::cast(next_smi)->value();
+ if (pos < 0) {
+ return Top::Throw(Heap::illegal_argument_symbol());
+ }
+ }
+ ASSERT(pos >= 0);
+ ASSERT(len >= 0);
+ if (pos > special_length || len > special_length - pos) {
+ return Top::Throw(Heap::illegal_argument_symbol());
+ }
+ increment = len;
} else if (elt->IsString()) {
String* element = String::cast(elt);
int element_length = element->length();
=======================================
--- /branches/2.1/src/string.js Tue Mar 30 07:14:28 2010
+++ /branches/2.1/src/string.js Wed Apr 21 03:24:56 2010
@@ -912,10 +912,10 @@
ReplaceResultBuilder.prototype.addSpecialSlice = function(start, end) {
var len = end - start;
- if (len == 0) return;
+ if (start < 0 || len <= 0) return;
var elements = this.elements;
if (start < 0x80000 && len < 0x800) {
- elements[elements.length] = (start << 11) + len;
+ elements[elements.length] = (start << 11) | len;
} else {
// 0 < len <= String::kMaxLength and Smi::kMaxValue >=
String::kMaxLength,
// so -len is a smi.
=======================================
--- /branches/2.1/src/version.cc Fri Apr 16 00:50:54 2010
+++ /branches/2.1/src/version.cc Wed Apr 21 03:24:56 2010
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 2
#define MINOR_VERSION 1
#define BUILD_NUMBER 10
-#define PATCH_LEVEL 6
+#define PATCH_LEVEL 7
#define CANDIDATE_VERSION false
// Define SONAME to have the SCons build the put a specific SONAME into the
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
