Revision: 21118
Author: [email protected]
Date: Fri May 2 11:30:24 2014 UTC
Log: Checks for empty array case added before casting elements to
FixedDoubleArray.
BUG=chromium:369450
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/264973008
http://code.google.com/p/v8/source/detail?r=21118
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-369450.js
Modified:
/branches/bleeding_edge/src/json-stringifier.h
/branches/bleeding_edge/src/runtime.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-369450.js Fri May
2 11:30:24 2014 UTC
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+var v = [1.3];
+v.length = 0;
+
+var json = JSON.stringify(v);
+assertEquals("[]", json);
+
+Array.prototype[0] = 5.5;
+var arr = [].concat(v, [{}], [2.3]);
+assertEquals([{}, 2.3], arr);
=======================================
--- /branches/bleeding_edge/src/json-stringifier.h Tue Apr 29 13:43:17 2014
UTC
+++ /branches/bleeding_edge/src/json-stringifier.h Fri May 2 11:30:24 2014
UTC
@@ -560,6 +560,8 @@
break;
}
case FAST_DOUBLE_ELEMENTS: {
+ // Empty array is FixedArray but not FixedDoubleArray.
+ if (length == 0) break;
Handle<FixedDoubleArray> elements(
FixedDoubleArray::cast(object->elements()), isolate_);
for (uint32_t i = 0; i < length; i++) {
=======================================
--- /branches/bleeding_edge/src/runtime.cc Fri May 2 06:02:00 2014 UTC
+++ /branches/bleeding_edge/src/runtime.cc Fri May 2 11:30:24 2014 UTC
@@ -10355,6 +10355,8 @@
}
case FAST_HOLEY_DOUBLE_ELEMENTS:
case FAST_DOUBLE_ELEMENTS: {
+ // Empty array is FixedArray but not FixedDoubleArray.
+ if (length == 0) break;
// Run through the elements FixedArray and use HasElement and
GetElement
// to check the prototype for missing elements.
Handle<FixedDoubleArray> elements(
@@ -10559,8 +10561,8 @@
switch (array->map()->elements_kind()) {
case FAST_HOLEY_DOUBLE_ELEMENTS:
case FAST_DOUBLE_ELEMENTS: {
- // Empty fixed array indicates that there are no elements.
- if (array->elements()->IsFixedArray()) break;
+ // Empty array is FixedArray but not FixedDoubleArray.
+ if (length == 0) break;
FixedDoubleArray* elements =
FixedDoubleArray::cast(array->elements());
for (uint32_t i = 0; i < length; i++) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
