Reviewers: Toon Verwaest,
Description:
Fix setting array length to zero for slow elements.
[email protected]
BUG=chromium:146910
TEST=mjsunit/regress/regress-crbug-146910
Please review this at https://chromiumcodereview.appspot.com/10937026/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/elements.cc
A + test/mjsunit/regress/regress-crbug-146910.js
Index: src/elements.cc
diff --git a/src/elements.cc b/src/elements.cc
index
4cb50a461d4a69790e70d2d5d5795e874fe7b99b..39686a2eabfa579499bdd04fd8f06cb68415e1c0
100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -1268,7 +1268,30 @@ class DictionaryElementsAccessor
JSArray* array,
Object* length_object,
uint32_t length) {
- if (length == 0) {
+ Heap* heap = array->GetHeap();
+ int capacity = dict->Capacity();
+ uint32_t new_length = length;
+ uint32_t old_length = static_cast<uint32_t>(array->length()->Number());
+ if (new_length < old_length) {
+ // Find last non-deletable element in range of elements to be
+ // deleted and adjust range accordingly.
+ for (int i = 0; i < capacity; i++) {
+ Object* key = dict->KeyAt(i);
+ if (key->IsNumber()) {
+ uint32_t number = static_cast<uint32_t>(key->Number());
+ if (new_length <= number && number < old_length) {
+ PropertyDetails details = dict->DetailsAt(i);
+ if (details.IsDontDelete()) new_length = number + 1;
+ }
+ }
+ }
+ if (new_length != length) {
+ MaybeObject* maybe_object = heap->NumberFromUint32(new_length);
+ if (!maybe_object->To(&length_object)) return maybe_object;
+ }
+ }
+
+ if (new_length == 0) {
// If the length of a slow array is reset to zero, we clear
// the array and flush backing storage. This has the added
// benefit that the array returns to fast mode.
@@ -1276,45 +1299,22 @@ class DictionaryElementsAccessor
MaybeObject* maybe_obj = array->ResetElements();
if (!maybe_obj->ToObject(&obj)) return maybe_obj;
} else {
- uint32_t new_length = length;
- uint32_t old_length =
static_cast<uint32_t>(array->length()->Number());
- if (new_length < old_length) {
- // Find last non-deletable element in range of elements to be
- // deleted and adjust range accordingly.
- Heap* heap = array->GetHeap();
- int capacity = dict->Capacity();
- for (int i = 0; i < capacity; i++) {
- Object* key = dict->KeyAt(i);
- if (key->IsNumber()) {
- uint32_t number = static_cast<uint32_t>(key->Number());
- if (new_length <= number && number < old_length) {
- PropertyDetails details = dict->DetailsAt(i);
- if (details.IsDontDelete()) new_length = number + 1;
- }
+ // Remove elements that should be deleted.
+ int removed_entries = 0;
+ Object* the_hole_value = heap->the_hole_value();
+ for (int i = 0; i < capacity; i++) {
+ Object* key = dict->KeyAt(i);
+ if (key->IsNumber()) {
+ uint32_t number = static_cast<uint32_t>(key->Number());
+ if (new_length <= number && number < old_length) {
+ dict->SetEntry(i, the_hole_value, the_hole_value);
+ removed_entries++;
}
}
- if (new_length != length) {
- MaybeObject* maybe_object = heap->NumberFromUint32(new_length);
- if (!maybe_object->To(&length_object)) return maybe_object;
- }
-
- // Remove elements that should be deleted.
- int removed_entries = 0;
- Object* the_hole_value = heap->the_hole_value();
- for (int i = 0; i < capacity; i++) {
- Object* key = dict->KeyAt(i);
- if (key->IsNumber()) {
- uint32_t number = static_cast<uint32_t>(key->Number());
- if (new_length <= number && number < old_length) {
- dict->SetEntry(i, the_hole_value, the_hole_value);
- removed_entries++;
- }
- }
- }
-
- // Update the number of elements.
- dict->ElementsRemoved(removed_entries);
}
+
+ // Update the number of elements.
+ dict->ElementsRemoved(removed_entries);
}
return length_object;
}
Index: test/mjsunit/regress/regress-crbug-146910.js
diff --git a/test/mjsunit/regress/regress-110509.js
b/test/mjsunit/regress/regress-crbug-146910.js
similarity index 87%
copy from test/mjsunit/regress/regress-110509.js
copy to test/mjsunit/regress/regress-crbug-146910.js
index
132bd233bee32f6c84061049224ea43901dae06a..120f80973192fa9b5ee1db6797da6c13e4358c31
100644
--- a/test/mjsunit/regress/regress-110509.js
+++ b/test/mjsunit/regress/regress-crbug-146910.js
@@ -25,17 +25,14 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --allow-natives-syntax
+var x = [];
+assertSame(0, x.length);
+assertSame(undefined, x[0]);
-// Verify that LRandom preserves rsi correctly.
+Object.defineProperty(x, '0', { value: 7, configurable: false });
+assertSame(1, x.length);
+assertSame(7, x[0]);
-function foo() {
- Math.random();
- new Function("");
-}
-
-foo();
-foo();
-foo();
-%OptimizeFunctionOnNextCall(foo);
-foo();
+x.length = 0;
+assertSame(1, x.length);
+assertSame(7, x[0]);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
