Revision: 20449
Author: [email protected]
Date: Wed Apr 2 17:42:58 2014 UTC
Log: Merged r19848 into 3.24 branch.
Don't fast RemoveArrayHoles in case of arguments arrays.
BUG=351645
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/222413003
http://code.google.com/p/v8/source/detail?r=20449
Added:
/branches/3.24/test/mjsunit/regress/regress-sort-arguments.js
Modified:
/branches/3.24/src/array.js
/branches/3.24/src/objects.cc
/branches/3.24/src/runtime.cc
/branches/3.24/src/version.cc
=======================================
--- /dev/null
+++ /branches/3.24/test/mjsunit/regress/regress-sort-arguments.js Wed Apr
2 17:42:58 2014 UTC
@@ -0,0 +1,10 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f(a) { return arguments; }
+var a = f(1,2,3);
+delete a[1];
+Array.prototype.sort.apply(a);
+a[10000000] = 4;
+Array.prototype.sort.apply(a);
=======================================
--- /branches/3.24/src/array.js Fri Jan 31 14:01:53 2014 UTC
+++ /branches/3.24/src/array.js Wed Apr 2 17:42:58 2014 UTC
@@ -1115,8 +1115,8 @@
max_prototype_element = CopyFromPrototype(this, length);
}
- var num_non_undefined = %IsObserved(this) ?
- -1 : %RemoveArrayHoles(this, length);
+ // %RemoveArrayHoles returns -1 if fast removal is not supported.
+ var num_non_undefined = %RemoveArrayHoles(this, length);
if (num_non_undefined == -1) {
// The array is observed, or there were indexed accessors in the array.
=======================================
--- /branches/3.24/src/objects.cc Wed Apr 2 15:32:54 2014 UTC
+++ /branches/3.24/src/objects.cc Wed Apr 2 17:42:58 2014 UTC
@@ -14456,8 +14456,11 @@
Handle<Object> JSObject::PrepareElementsForSort(Handle<JSObject> object,
uint32_t limit) {
Isolate* isolate = object->GetIsolate();
+ if (object->HasSloppyArgumentsElements() ||
+ object->map()->is_observed()) {
+ return handle(Smi::FromInt(-1), isolate);
+ }
- ASSERT(!object->map()->is_observed());
if (object->HasDictionaryElements()) {
// Convert to fast elements containing only the existing properties.
// Ordering is irrelevant, since we are going to sort anyway.
=======================================
--- /branches/3.24/src/runtime.cc Wed Apr 2 17:08:24 2014 UTC
+++ /branches/3.24/src/runtime.cc Wed Apr 2 17:42:58 2014 UTC
@@ -10539,6 +10539,7 @@
// and are followed by non-existing element. Does not change the length
// property.
// Returns the number of non-undefined elements collected.
+// Returns -1 if hole removal is not supported by this method.
RUNTIME_FUNCTION(MaybeObject*, Runtime_RemoveArrayHoles) {
HandleScope scope(isolate);
ASSERT(args.length() == 2);
=======================================
--- /branches/3.24/src/version.cc Wed Apr 2 17:08:24 2014 UTC
+++ /branches/3.24/src/version.cc Wed Apr 2 17:42:58 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 24
#define BUILD_NUMBER 35
-#define PATCH_LEVEL 24
+#define PATCH_LEVEL 25
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
