[v8-dev] [v8] r9707 committed - Fix Array.filter to use internal array for result....

Wed, 19 Oct 2011 06:44:42 -0700 

Revision: 9707
Author:   [email protected]
Date:     Wed Oct 19 06:44:29 2011
Log:      Fix Array.filter to use internal array for result.

In built-in code we use arrays for internal computations. This makes it
possible to affect the built-in code by putting getters or setters on
the array prototype chain. Using internal arrays prevents those issues.

Related to: http://code.google.com/p/v8/source/detail?r=7040

[email protected]
TEST=test262/15.4.4.20-9-b-6

Review URL: http://codereview.chromium.org/8353006
http://code.google.com/p/v8/source/detail?r=9707

Modified:
 /branches/bleeding_edge/src/array.js
 /branches/bleeding_edge/test/test262/test262.status

=======================================
--- /branches/bleeding_edge/src/array.js        Wed Oct 19 02:24:37 2011
+++ /branches/bleeding_edge/src/array.js        Wed Oct 19 06:44:29 2011
@@ -1017,16 +1017,18 @@
     receiver = ToObject(receiver);
   }

-  var result = [];
-  var result_length = 0;
+  var result = new $Array();
+  var accumulator = new InternalArray();
+  var accumulator_length = 0;
   for (var i = 0; i < length; i++) {
     var current = array[i];
     if (!IS_UNDEFINED(current) || i in array) {
       if (%_CallFunction(receiver, current, i, array, f)) {
-        result[result_length++] = current;
+        accumulator[accumulator_length++] = current;
       }
     }
   }
+  %MoveArrayContents(accumulator, result);
   return result;
 }

=======================================
--- /branches/bleeding_edge/test/test262/test262.status Wed Oct 19 02:06:15 2011 +++ /branches/bleeding_edge/test/test262/test262.status Wed Oct 19 06:44:29 2011 
@@ -475,24 +475,9 @@
 # Bug? Array.prototype.map - decreasing length of array does not delete
 #      non-configurable properties
 15.4.4.19-8-b-16: FAIL
-# Bug? Array.prototype.filter - properties can be added to prototype after
-#      current position are visited on an Array-like object
-15.4.4.20-9-b-6: FAIL
 # Bug? Array.prototype.filter - decreasing length of array does not delete
 #      non-configurable properties
 15.4.4.20-9-b-16: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is own data property 
-#      that overrides an inherited accessor property on an Array
-15.4.4.20-9-c-i-6: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is own accessor property 
-#      that overrides an inherited accessor property on an Array
-15.4.4.20-9-c-i-14: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is inherited accessor 
-#      property on an Array
-15.4.4.20-9-c-i-16: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is inherited accessor 
-#      property without a get function on an Array
-15.4.4.20-9-c-i-22: FAIL
# Bug? Array.prototype.reduce - decreasing length of array in step 8 does not 
 #      delete non-configurable properties
 15.4.4.21-9-b-16: FAIL

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to