Reviewers: Toon Verwaest,
Description:
Merged r19848 into 3.24 branch.
Don't fast RemoveArrayHoles in case of arguments arrays.
BUG=351645
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/222413003/
SVN Base: https://v8.googlecode.com/svn/branches/3.24
Affected files (+14, -6 lines):
M src/array.js
M src/objects.cc
M src/runtime.cc
M src/version.cc
A + test/mjsunit/regress/regress-sort-arguments.js
Index: src/array.js
diff --git a/src/array.js b/src/array.js
index
372b7ece6382118a7a578e9a2d0f40ac43ae222a..03c679a44ed74a07dcb58ad7a9bd7b5eb0041404
100644
--- a/src/array.js
+++ b/src/array.js
@@ -1115,8 +1115,8 @@ function ArraySort(comparefn) {
max_prototype_element = CopyFromPrototype(this, length);
}
- var num_non_undefined = %IsObserved(this) ?
- -1 : %RemoveArrayHoles(this, length);
+ // %RemoveArrayHoles returns -1 if fast removal is not supported.
+ var num_non_undefined = %RemoveArrayHoles(this, length);
if (num_non_undefined == -1) {
// The array is observed, or there were indexed accessors in the array.
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
a2bece97f16382f8d552dd5b147c8d63cf239600..0d45c5a77c1f0a171649079917556b1fd37a49b7
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -14456,8 +14456,11 @@ MaybeObject*
JSObject::PrepareSlowElementsForSort(uint32_t limit) {
Handle<Object> JSObject::PrepareElementsForSort(Handle<JSObject> object,
uint32_t limit) {
Isolate* isolate = object->GetIsolate();
+ if (object->HasSloppyArgumentsElements() ||
+ object->map()->is_observed()) {
+ return handle(Smi::FromInt(-1), isolate);
+ }
- ASSERT(!object->map()->is_observed());
if (object->HasDictionaryElements()) {
// Convert to fast elements containing only the existing properties.
// Ordering is irrelevant, since we are going to sort anyway.
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
0d7a38258e3bf88157e7b1b73d45127d9d530d0d..1f7e116aefd1d786d1af7f31d6b2329c4c983c16
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10539,6 +10539,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_GlobalPrint)
{
// and are followed by non-existing element. Does not change the length
// property.
// Returns the number of non-undefined elements collected.
+// Returns -1 if hole removal is not supported by this method.
RUNTIME_FUNCTION(MaybeObject*, Runtime_RemoveArrayHoles) {
HandleScope scope(isolate);
ASSERT(args.length() == 2);
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
fbfe85a05e5c9a72bbcd03acb1348975b2e3e0e8..a90340bd5165202b19922aa6faeaf34403a294e8
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 24
#define BUILD_NUMBER 35
-#define PATCH_LEVEL 24
+#define PATCH_LEVEL 25
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-sort-arguments.js
diff --git a/test/mjsunit/regress/regress-crbug-351262.js
b/test/mjsunit/regress/regress-sort-arguments.js
similarity index 53%
copy from test/mjsunit/regress/regress-crbug-351262.js
copy to test/mjsunit/regress/regress-sort-arguments.js
index
a2f4eadc0de5c2bd7d27f6e78ff9940fce7b0f85..54ebeb111bbc9ad7411f1c970660ab7c136244c1
100644
--- a/test/mjsunit/regress/regress-crbug-351262.js
+++ b/test/mjsunit/regress/regress-sort-arguments.js
@@ -2,5 +2,9 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-for (var x in this) {};
-JSON.stringify(this);
+function f(a) { return arguments; }
+var a = f(1,2,3);
+delete a[1];
+Array.prototype.sort.apply(a);
+a[10000000] = 4;
+Array.prototype.sort.apply(a);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
