Reviewers: danno,
Message:
PTAL.
Description:
Array.concat: properly go to dictionary mode when required
BUG=chromium:387031
LOG=y
Please review this at https://codereview.chromium.org/342333002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+18, -10 lines):
M src/runtime.cc
A + test/mjsunit/regress/regress-crbug-387031.js
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
a8c1aefff432d4203594e17c983b4631342014fe..a6d609c088d1e81bded4db030d1943f97ed94f4d
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10040,7 +10040,7 @@ class ArrayConcatVisitor {
// getters on the arrays increasing the length of later arrays
// during iteration.
// This shouldn't happen in anything but pathological cases.
- SetDictionaryMode(index);
+ SetDictionaryMode();
// Fall-through to dictionary mode.
}
ASSERT(!fast_elements_);
@@ -10061,6 +10061,14 @@ class ArrayConcatVisitor {
} else {
index_offset_ += delta;
}
+ // If the initial length estimate was off (see special case in
visit()),
+ // but the array blowing the limit didn't contain elements beyond the
+ // provided-for index range, go to dictionary mode now.
+ if (fast_elements_ &&
+ index_offset_ >= static_cast<uint32_t>(
+ FixedArrayBase::cast(*storage_)->length())) {
+ SetDictionaryMode();
+ }
}
bool exceeds_array_limit() {
@@ -10082,7 +10090,7 @@ class ArrayConcatVisitor {
private:
// Convert storage to dictionary mode.
- void SetDictionaryMode(uint32_t index) {
+ void SetDictionaryMode() {
ASSERT(fast_elements_);
Handle<FixedArray> current_storage(*storage_);
Handle<SeededNumberDictionary> slow_storage(
Index: test/mjsunit/regress/regress-crbug-387031.js
diff --git a/test/mjsunit/regress/regress-349885.js
b/test/mjsunit/regress/regress-crbug-387031.js
similarity index 55%
copy from test/mjsunit/regress/regress-349885.js
copy to test/mjsunit/regress/regress-crbug-387031.js
index
dd3e79526041b0362434608b81429d83e18ae8ef..77f52a9d35ea296d164def9de6f859bcbceb527a
100644
--- a/test/mjsunit/regress/regress-349885.js
+++ b/test/mjsunit/regress/regress-crbug-387031.js
@@ -4,12 +4,12 @@
// Flags: --allow-natives-syntax
-// The bug 349885
-
-function foo(a) {
- a[292755462] = new Object();
+a = [1];
+b = [];
+a.__defineGetter__(0, function () {
+ b.length = 0xffffffff;
+});
+c = a.concat(b);
+for (var i = 0; i < 20; i++) {
+ assertEquals(undefined, (c[i]));
}
-foo(new Array(5));
-foo(new Array(5));
-%OptimizeFunctionOnNextCall(foo);
-foo(new Array(10));
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
