Reviewers: Lasse Reichstein,
Message:
Lasse,
may you have a look?
Description:
Current custom call generators cannot cope with the case when receiver is
not a
JSArray.
Add a support for bailout from custom call generators (just return
undefined).
BUG=684
Please review this at http://codereview.chromium.org/1699005/show
Affected files:
M src/ia32/stub-cache-ia32.cc
M test/mjsunit/array-pop.js
M test/mjsunit/array-push.js
Index: src/ia32/stub-cache-ia32.cc
diff --git a/src/ia32/stub-cache-ia32.cc b/src/ia32/stub-cache-ia32.cc
index
11c4ac73a01fef598e481b09f83ae75b10dbbbbc..eba4e1fd5f2bd3f10b0a9551eeaabdd63646f803
100644
--- a/src/ia32/stub-cache-ia32.cc
+++ b/src/ia32/stub-cache-ia32.cc
@@ -1241,6 +1241,11 @@ Object*
CallStubCompiler::CompileArrayPushCall(Object* object,
// -----------------------------------
ASSERT(check == RECEIVER_MAP_CHECK);
+ // If object is not an array, bail out to regular call.
+ if (!object->IsJSArray()) {
+ return Heap::undefined_value();
+ }
+
Label miss;
// Get the receiver from the stack.
@@ -1389,6 +1394,11 @@ Object*
CallStubCompiler::CompileArrayPopCall(Object* object,
// -----------------------------------
ASSERT(check == RECEIVER_MAP_CHECK);
+ // If object is not an array, bail out to regular call.
+ if (!object->IsJSArray()) {
+ return Heap::undefined_value();
+ }
+
Label miss, empty_array, call_builtin;
// Get the receiver from the stack.
@@ -1476,7 +1486,11 @@ Object*
CallStubCompiler::CompileCallConstant(Object* object,
if (function_info->HasCustomCallGenerator()) {
CustomCallGenerator generator =
ToCData<CustomCallGenerator>(function_info->function_data());
- return generator(this, object, holder, function, name, check);
+ Object* result = generator(this, object, holder, function, name,
check);
+ // undefined means bail out to regular compiler.
+ if (!result->IsUndefined()) {
+ return result;
+ }
}
Label miss_in_smi_check;
Index: test/mjsunit/array-pop.js
diff --git a/test/mjsunit/array-pop.js b/test/mjsunit/array-pop.js
index
4edd02614b3ac262f1193dc3ea91d3f8cd2b1813..8d10e77fe7d9d3877c6f379de6c5c06ad6541081
100644
--- a/test/mjsunit/array-pop.js
+++ b/test/mjsunit/array-pop.js
@@ -59,3 +59,13 @@
assertEquals(0, a.length, "length 9th pop");
}
})();
+
+// Play with prototype chains.
+(function() {
+ var a = [];
+ for (var i = 0; i < 100; i++) a.push(i);
+ var x = {__proto__: a};
+ for (var i = 0; i < 100; i++) {
+ assertEquals(99 - i, x.pop(), i + 'th iteration');
+ }
+})();
Index: test/mjsunit/array-push.js
diff --git a/test/mjsunit/array-push.js b/test/mjsunit/array-push.js
index
baccf000c4708cb2c69eaac50ef0f966f5a8cbe3..6ebfbf70585a067f1a7c3c31cbd9b92365033981
100644
--- a/test/mjsunit/array-push.js
+++ b/test/mjsunit/array-push.js
@@ -103,3 +103,12 @@
assertEquals(29, a.push(29));
}
})();
+
+// Play with prototype chains.
+(function() {
+ var x = {__proto__: []};
+ for (var i = 0; i < 100; i++) {
+ x.push("a");
+ assertEquals(i + 1, x.length, i + 'th iteration');
+ }
+})();
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
