Reviewers: Benedikt Meurer,
Message:
PTAL
Description:
Checks for empty array case added before casting elements to
FixedDoubleArray.
BUG=chromium:369450
Please review this at https://codereview.chromium.org/264973008/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+15, -11 lines):
M src/json-stringifier.h
M src/runtime.cc
A + test/mjsunit/regress/regress-369450.js
Index: src/json-stringifier.h
diff --git a/src/json-stringifier.h b/src/json-stringifier.h
index
c93196e0c9f18e440296d76d8f4dc5cbb34d1fc7..7eb6746dfbebb802e1c7c18fb18c389e600bf230
100644
--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@@ -560,6 +560,8 @@ BasicJsonStringifier::Result
BasicJsonStringifier::SerializeJSArray(
break;
}
case FAST_DOUBLE_ELEMENTS: {
+ // Empty array is FixedArray but not FixedDoubleArray.
+ if (length == 0) break;
Handle<FixedDoubleArray> elements(
FixedDoubleArray::cast(object->elements()), isolate_);
for (uint32_t i = 0; i < length; i++) {
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
c60b8046186078daf860807e935e625955ac972e..e17346a27893b20f91a00f8795e6bca11cdcce93
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10355,6 +10355,8 @@ static bool IterateElements(Isolate* isolate,
}
case FAST_HOLEY_DOUBLE_ELEMENTS:
case FAST_DOUBLE_ELEMENTS: {
+ // Empty array is FixedArray but not FixedDoubleArray.
+ if (length == 0) break;
// Run through the elements FixedArray and use HasElement and
GetElement
// to check the prototype for missing elements.
Handle<FixedDoubleArray> elements(
@@ -10559,8 +10561,8 @@ RUNTIME_FUNCTION(Runtime_ArrayConcat) {
switch (array->map()->elements_kind()) {
case FAST_HOLEY_DOUBLE_ELEMENTS:
case FAST_DOUBLE_ELEMENTS: {
- // Empty fixed array indicates that there are no elements.
- if (array->elements()->IsFixedArray()) break;
+ // Empty array is FixedArray but not FixedDoubleArray.
+ if (length == 0) break;
FixedDoubleArray* elements =
FixedDoubleArray::cast(array->elements());
for (uint32_t i = 0; i < length; i++) {
Index: test/mjsunit/regress/regress-369450.js
diff --git a/test/mjsunit/regress/regress-empty-fixed-double-array.js
b/test/mjsunit/regress/regress-369450.js
similarity index 55%
copy from test/mjsunit/regress/regress-empty-fixed-double-array.js
copy to test/mjsunit/regress/regress-369450.js
index
1db9e2b3e54e2abfddddd23f4ee6618ae438db20..e4523619f08407a532787976a7c36fd39a34c98f
100644
--- a/test/mjsunit/regress/regress-empty-fixed-double-array.js
+++ b/test/mjsunit/regress/regress-369450.js
@@ -4,12 +4,12 @@
// Flags: --allow-natives-syntax --enable-slow-asserts
-function f(a, x) {
- a.shift();
- a[0] = x;
-}
-
-f([1], 1.1);
-f([1], 1.1);
-%OptimizeFunctionOnNextCall(f);
-f([1], 1.1);
+var v = [1.3];
+v.length = 0;
+
+var json = JSON.stringify(v);
+assertEquals("[]", json);
+
+Array.prototype[0] = 5.5;
+var arr = [].concat(v, [{}], [2.3]);
+assertEquals([{}, 2.3], arr);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
