Revision: 21981
Author: [email protected]
Date: Tue Jun 24 14:33:05 2014 UTC
Log: Version 3.26.31.8 (merged r21903)
Array.concat: properly go to dictionary mode when required
BUG=chromium:387031
LOG=N
[email protected]
Review URL: https://codereview.chromium.org/356503005
http://code.google.com/p/v8/source/detail?r=21981
Added:
/branches/3.26/test/mjsunit/regress/regress-crbug-387031.js
Modified:
/branches/3.26/src/runtime.cc
/branches/3.26/src/version.cc
=======================================
--- /dev/null
+++ /branches/3.26/test/mjsunit/regress/regress-crbug-387031.js Tue Jun 24
14:33:05 2014 UTC
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+a = [1];
+b = [];
+a.__defineGetter__(0, function () {
+ b.length = 0xffffffff;
+});
+c = a.concat(b);
+for (var i = 0; i < 20; i++) {
+ assertEquals(undefined, (c[i]));
+}
=======================================
--- /branches/3.26/src/runtime.cc Tue May 6 00:04:47 2014 UTC
+++ /branches/3.26/src/runtime.cc Tue Jun 24 14:33:05 2014 UTC
@@ -10026,7 +10026,7 @@
// getters on the arrays increasing the length of later arrays
// during iteration.
// This shouldn't happen in anything but pathological cases.
- SetDictionaryMode(index);
+ SetDictionaryMode();
// Fall-through to dictionary mode.
}
ASSERT(!fast_elements_);
@@ -10047,6 +10047,14 @@
} else {
index_offset_ += delta;
}
+ // If the initial length estimate was off (see special case in
visit()),
+ // but the array blowing the limit didn't contain elements beyond the
+ // provided-for index range, go to dictionary mode now.
+ if (fast_elements_ &&
+ index_offset_ >= static_cast<uint32_t>(
+ FixedArrayBase::cast(*storage_)->length())) {
+ SetDictionaryMode();
+ }
}
bool exceeds_array_limit() {
@@ -10068,7 +10076,7 @@
private:
// Convert storage to dictionary mode.
- void SetDictionaryMode(uint32_t index) {
+ void SetDictionaryMode() {
ASSERT(fast_elements_);
Handle<FixedArray> current_storage(*storage_);
Handle<SeededNumberDictionary> slow_storage(
=======================================
--- /branches/3.26/src/version.cc Mon Jun 23 08:37:46 2014 UTC
+++ /branches/3.26/src/version.cc Tue Jun 24 14:33:05 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 26
#define BUILD_NUMBER 31
-#define PATCH_LEVEL 7
+#define PATCH_LEVEL 8
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
