[v8-dev] Merged r19862 into 3.24 branch. (issue 198023002)

[jkummerow]

Reviewers: Yang,

Description:
Merged r19862 into 3.24 branch.
Use intrinsics for builtin ArrayBuffer property accesses

BUG=chromium:351787
LOG=N
R=yang...@chromium.org

Please review this at https://codereview.chromium.org/198023002/

SVN Base: https://v8.googlecode.com/svn/branches/3.24

Affected files (+55, -8 lines):
  M src/arraybuffer.js
  M src/runtime.cc
  M src/typedarray.js
  M src/version.cc
  A test/mjsunit/regress/regress-crbug-351787.js


Index: src/arraybuffer.js
diff --git a/src/arraybuffer.js b/src/arraybuffer.js
index  
6125f0f61cb3eb1a258573106a5f4bb2daa7ee17..cfaa8d7efca4689b9b715cd3fb34212d6e35346e  
100644
--- a/src/arraybuffer.js
+++ b/src/arraybuffer.js
@@ -57,17 +57,18 @@ function ArrayBufferSlice(start, end) {

   var relativeStart = TO_INTEGER(start);
   var first;
+  var byte_length = %ArrayBufferGetByteLength(this);
   if (relativeStart < 0) {
-    first = MathMax(this.byteLength + relativeStart, 0);
+    first = MathMax(byte_length + relativeStart, 0);
   } else {
-    first = MathMin(relativeStart, this.byteLength);
+    first = MathMin(relativeStart, byte_length);
   }
-  var relativeEnd = IS_UNDEFINED(end) ? this.byteLength : TO_INTEGER(end);
+  var relativeEnd = IS_UNDEFINED(end) ? byte_length : TO_INTEGER(end);
   var fin;
   if (relativeEnd < 0) {
-    fin = MathMax(this.byteLength + relativeEnd, 0);
+    fin = MathMax(byte_length + relativeEnd, 0);
   } else {
-    fin = MathMin(relativeEnd, this.byteLength);
+    fin = MathMin(relativeEnd, byte_length);
   }

   if (fin < first) {
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index  
3596add429ee9335994c525ad946be41648d6842..ac9a2c0c9e8c0017c9cc542d1765adaa0f5217a7  
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -957,6 +957,10 @@ RUNTIME_FUNCTION(MaybeObject*,  
Runtime_TypedArrayInitializeFromArrayLike) {
   Runtime::ArrayIdToTypeAndSize(arrayId, &array_type, &element_size);

   Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
+  if (source->IsJSTypedArray() &&
+      JSTypedArray::cast(*source)->type() == array_type) {
+    length_obj = Handle<Object>(JSTypedArray::cast(*source)->length(),  
isolate);
+  }
   size_t length = NumberToSize(isolate, *length_obj);

   if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
Index: src/typedarray.js
diff --git a/src/typedarray.js b/src/typedarray.js
index  
c0f07eda85623defe627fa5f7d834bfb5f2ba6e5..81c52961c0105a10c2bcfe352f5b7fa9a07ea0e5  
100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -49,7 +49,7 @@ endmacro

 macro TYPED_ARRAY_CONSTRUCTOR(ARRAY_ID, NAME, ELEMENT_SIZE)
   function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
-    var bufferByteLength = buffer.byteLength;
+    var bufferByteLength = %ArrayBufferGetByteLength(buffer);
     var offset;
     if (IS_UNDEFINED(byteOffset)) {
       offset = 0;
@@ -317,7 +317,7 @@ function DataViewConstructor(buffer, byteOffset,  
byteLength) { // length = 3
     if (!IS_ARRAYBUFFER(buffer)) {
       throw MakeTypeError('data_view_not_array_buffer', []);
     }
-    var bufferByteLength = buffer.byteLength;
+    var bufferByteLength = %ArrayBufferGetByteLength(buffer);
     var offset = IS_UNDEFINED(byteOffset) ?
       0 : ToPositiveInteger(byteOffset, 'invalid_data_view_offset');
     if (offset > bufferByteLength) {
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index  
e964094a35ff11dd6374440b1fd274732c2f9e2e..384824bd1db015aab611ef75bd7fff93e5abbe0e  
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     24
 #define BUILD_NUMBER      35
-#define PATCH_LEVEL       14
+#define PATCH_LEVEL       15
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-351787.js
diff --git a/test/mjsunit/regress/regress-crbug-351787.js  
b/test/mjsunit/regress/regress-crbug-351787.js
new file mode 100644
index  
0000000000000000000000000000000000000000..74cabf2b9a3dfbf7284202b48e5651eaa9c722f6
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-351787.js
@@ -0,0 +1,42 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var ab1 = new ArrayBuffer(8);
+ab1.__defineGetter__("byteLength", function() { return 1000000; });
+var ab2 = ab1.slice(800000, 900000);
+var array = new Uint8Array(ab2);
+for (var i = 0; i < array.length; i++) {
+  assertEquals(0, array[i]);
+}
+assertEquals(0, array.length);
+
+
+var ab3 = new ArrayBuffer(8);
+ab3.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaa = new DataView(ab3);
+
+for (var i = 10; i < aaa.length; i++) {
+  aaa.setInt8(i, 0xcc);
+}
+assertEquals(8, aaa.byteLength);
+
+
+var a = new Int8Array(4);
+a.__defineGetter__("length", function() { return 0xFFFF; });
+var b = new Int8Array(a);
+for (var i = 0; i < b.length; i++) {
+  assertEquals(0, b[i]);
+}
+
+
+var ab4 = new ArrayBuffer(8);
+ab4.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
+var aaaa = new Uint32Array(ab4);
+
+for (var i = 10; i < aaaa.length; i++) {
+  aaaa[i] = 0xcccccccc;
+}
+assertEquals(2, aaaa.length);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.