Reviewers: Yang,
Message:
Committed patchset #1 manually as r19862 (presubmit successful).
Description:
Use intrinsics for builtin ArrayBuffer property accesses
BUG=chromium:351787
LOG=y
[email protected]
Committed: https://code.google.com/p/v8/source/detail?r=19862
Please review this at https://codereview.chromium.org/197793003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+54, -7 lines):
M src/arraybuffer.js
M src/runtime.cc
M src/typedarray.js
A test/mjsunit/regress/regress-crbug-351787.js
Index: src/arraybuffer.js
diff --git a/src/arraybuffer.js b/src/arraybuffer.js
index
6125f0f61cb3eb1a258573106a5f4bb2daa7ee17..cfaa8d7efca4689b9b715cd3fb34212d6e35346e
100644
--- a/src/arraybuffer.js
+++ b/src/arraybuffer.js
@@ -57,17 +57,18 @@ function ArrayBufferSlice(start, end) {
var relativeStart = TO_INTEGER(start);
var first;
+ var byte_length = %ArrayBufferGetByteLength(this);
if (relativeStart < 0) {
- first = MathMax(this.byteLength + relativeStart, 0);
+ first = MathMax(byte_length + relativeStart, 0);
} else {
- first = MathMin(relativeStart, this.byteLength);
+ first = MathMin(relativeStart, byte_length);
}
- var relativeEnd = IS_UNDEFINED(end) ? this.byteLength : TO_INTEGER(end);
+ var relativeEnd = IS_UNDEFINED(end) ? byte_length : TO_INTEGER(end);
var fin;
if (relativeEnd < 0) {
- fin = MathMax(this.byteLength + relativeEnd, 0);
+ fin = MathMax(byte_length + relativeEnd, 0);
} else {
- fin = MathMin(relativeEnd, this.byteLength);
+ fin = MathMin(relativeEnd, byte_length);
}
if (fin < first) {
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
71ea2d0f75cb6e51e9ea29fb079aae9600c23345..7d2c703e34a687a0a4eaf87802481cf4f06cb765
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -952,6 +952,10 @@ RUNTIME_FUNCTION(MaybeObject*,
Runtime_TypedArrayInitializeFromArrayLike) {
Runtime::ArrayIdToTypeAndSize(arrayId, &array_type, &element_size);
Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
+ if (source->IsJSTypedArray() &&
+ JSTypedArray::cast(*source)->type() == array_type) {
+ length_obj = Handle<Object>(JSTypedArray::cast(*source)->length(),
isolate);
+ }
size_t length = NumberToSize(isolate, *length_obj);
if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
Index: src/typedarray.js
diff --git a/src/typedarray.js b/src/typedarray.js
index
0c0cb71b2a3bf883972384a8cb1d86be23baa299..88fbb34245f3223001897c1108b68b926fd7f761
100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -49,7 +49,7 @@ endmacro
macro TYPED_ARRAY_CONSTRUCTOR(ARRAY_ID, NAME, ELEMENT_SIZE)
function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
- var bufferByteLength = buffer.byteLength;
+ var bufferByteLength = %ArrayBufferGetByteLength(buffer);
var offset;
if (IS_UNDEFINED(byteOffset)) {
offset = 0;
@@ -317,7 +317,7 @@ function DataViewConstructor(buffer, byteOffset,
byteLength) { // length = 3
if (!IS_ARRAYBUFFER(buffer)) {
throw MakeTypeError('data_view_not_array_buffer', []);
}
- var bufferByteLength = buffer.byteLength;
+ var bufferByteLength = %ArrayBufferGetByteLength(buffer);
var offset = IS_UNDEFINED(byteOffset) ?
0 : ToPositiveInteger(byteOffset, 'invalid_data_view_offset');
if (offset > bufferByteLength) {
Index: test/mjsunit/regress/regress-crbug-351787.js
diff --git a/test/mjsunit/regress/regress-crbug-351787.js
b/test/mjsunit/regress/regress-crbug-351787.js
new file mode 100644
index
0000000000000000000000000000000000000000..74cabf2b9a3dfbf7284202b48e5651eaa9c722f6
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-351787.js
@@ -0,0 +1,42 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var ab1 = new ArrayBuffer(8);
+ab1.__defineGetter__("byteLength", function() { return 1000000; });
+var ab2 = ab1.slice(800000, 900000);
+var array = new Uint8Array(ab2);
+for (var i = 0; i < array.length; i++) {
+ assertEquals(0, array[i]);
+}
+assertEquals(0, array.length);
+
+
+var ab3 = new ArrayBuffer(8);
+ab3.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaa = new DataView(ab3);
+
+for (var i = 10; i < aaa.length; i++) {
+ aaa.setInt8(i, 0xcc);
+}
+assertEquals(8, aaa.byteLength);
+
+
+var a = new Int8Array(4);
+a.__defineGetter__("length", function() { return 0xFFFF; });
+var b = new Int8Array(a);
+for (var i = 0; i < b.length; i++) {
+ assertEquals(0, b[i]);
+}
+
+
+var ab4 = new ArrayBuffer(8);
+ab4.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaaa = new Uint32Array(ab4);
+
+for (var i = 10; i < aaaa.length; i++) {
+ aaaa[i] = 0xcccccccc;
+}
+assertEquals(2, aaaa.length);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
