Reviewers: danno,
Description:
Version 3.26.31.8 (merged r21903)
Array.concat: properly go to dictionary mode when required
BUG=chromium:387031
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/356503005/
SVN Base: https://v8.googlecode.com/svn/branches/3.26
Affected files (+19, -15 lines):
M src/runtime.cc
M src/version.cc
A + test/mjsunit/regress/regress-crbug-387031.js
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
e07876b84bc375b27c9b49a92f94cb1128f33b94..a7a4ace0e43edee9a9484fc5167e0ce8cf3c04ff
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10026,7 +10026,7 @@ class ArrayConcatVisitor {
// getters on the arrays increasing the length of later arrays
// during iteration.
// This shouldn't happen in anything but pathological cases.
- SetDictionaryMode(index);
+ SetDictionaryMode();
// Fall-through to dictionary mode.
}
ASSERT(!fast_elements_);
@@ -10047,6 +10047,14 @@ class ArrayConcatVisitor {
} else {
index_offset_ += delta;
}
+ // If the initial length estimate was off (see special case in
visit()),
+ // but the array blowing the limit didn't contain elements beyond the
+ // provided-for index range, go to dictionary mode now.
+ if (fast_elements_ &&
+ index_offset_ >= static_cast<uint32_t>(
+ FixedArrayBase::cast(*storage_)->length())) {
+ SetDictionaryMode();
+ }
}
bool exceeds_array_limit() {
@@ -10068,7 +10076,7 @@ class ArrayConcatVisitor {
private:
// Convert storage to dictionary mode.
- void SetDictionaryMode(uint32_t index) {
+ void SetDictionaryMode() {
ASSERT(fast_elements_);
Handle<FixedArray> current_storage(*storage_);
Handle<SeededNumberDictionary> slow_storage(
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
ac185caf52e16b2bd640e0c29bfddb456690cf01..cceaa44e2207ccab1659e5a4e94e6940d69cc4e7
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 26
#define BUILD_NUMBER 31
-#define PATCH_LEVEL 7
+#define PATCH_LEVEL 8
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-crbug-387031.js
diff --git a/test/mjsunit/regress/regress-347909.js
b/test/mjsunit/regress/regress-crbug-387031.js
similarity index 55%
copy from test/mjsunit/regress/regress-347909.js
copy to test/mjsunit/regress/regress-crbug-387031.js
index
90a8e6a759eab76afef1dc968c814bd9d324b147..77f52a9d35ea296d164def9de6f859bcbceb527a
100644
--- a/test/mjsunit/regress/regress-347909.js
+++ b/test/mjsunit/regress/regress-crbug-387031.js
@@ -4,16 +4,12 @@
// Flags: --allow-natives-syntax
-var a = {y:1.5};
-a.y = 0;
-var b = a.y;
-a.y = {};
-var d = 1;
-function f() {
- d = 0;
- return {y: b};
+a = [1];
+b = [];
+a.__defineGetter__(0, function () {
+ b.length = 0xffffffff;
+});
+c = a.concat(b);
+for (var i = 0; i < 20; i++) {
+ assertEquals(undefined, (c[i]));
}
-f();
-f();
-%OptimizeFunctionOnNextCall(f);
-f();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
