Reviewers: Michael Starzinger,
Message:
PTAL
Description:
Don't fast RemoveArrayHoles in case of arguments arrays.
BUG=351645
LOG=n
Please review this at https://codereview.chromium.org/197043004/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+14, -10 lines):
M src/array.js
M src/runtime.cc
A + test/mjsunit/regress/regress-sort-arguments.js
Index: src/array.js
diff --git a/src/array.js b/src/array.js
index
9b71283945992d15e4eb1e5a504bbb24527d3561..e48230e2bd738e042cf0046d00c47ff96d984d4d
100644
--- a/src/array.js
+++ b/src/array.js
@@ -1115,8 +1115,8 @@ function ArraySort(comparefn) {
max_prototype_element = CopyFromPrototype(this, length);
}
- var num_non_undefined = %IsObserved(this) ?
- -1 : %RemoveArrayHoles(this, length);
+ // %RemoveArrayHoles returns -1 if fast removal is not supported.
+ var num_non_undefined = %RemoveArrayHoles(this, length);
if (num_non_undefined == -1) {
// The array is observed, or there were indexed accessors in the array.
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
140c3234e6bed870ad706b7a96ff8d5e99ed7d77..61ebc0ad55122767412e82aac5d6367e8986dc14
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10508,11 +10508,17 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_GlobalPrint) {
// and are followed by non-existing element. Does not change the length
// property.
// Returns the number of non-undefined elements collected.
+// Returns -1 if hole removal is not supported by this method.
RUNTIME_FUNCTION(MaybeObject*, Runtime_RemoveArrayHoles) {
HandleScope scope(isolate);
ASSERT(args.length() == 2);
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
CONVERT_NUMBER_CHECKED(uint32_t, limit, Uint32, args[1]);
+ if (object->HasFastArgumentsElements() ||
+ object->HasDictionaryArgumentsElements() ||
+ object->map()->is_observed()) {
+ return Smi::FromInt(-1);
+ }
return *JSObject::PrepareElementsForSort(object, limit);
}
Index: test/mjsunit/regress/regress-sort-arguments.js
diff --git a/test/mjsunit/regress/regress-347904.js
b/test/mjsunit/regress/regress-sort-arguments.js
similarity index 53%
copy from test/mjsunit/regress/regress-347904.js
copy to test/mjsunit/regress/regress-sort-arguments.js
index
1a27b054a4b89b8e8841c9311f1c155aea7ce4d7..54ebeb111bbc9ad7411f1c970660ab7c136244c1
100644
--- a/test/mjsunit/regress/regress-347904.js
+++ b/test/mjsunit/regress/regress-sort-arguments.js
@@ -2,11 +2,9 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-// Flags: --allow-natives-syntax --stress-runs=2
-
-var v = /abc/;
-function f() {
- v = 1578221999;
-};
-%OptimizeFunctionOnNextCall(f);
-f();
+function f(a) { return arguments; }
+var a = f(1,2,3);
+delete a[1];
+Array.prototype.sort.apply(a);
+a[10000000] = 4;
+Array.prototype.sort.apply(a);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
