[webkit-changes] [203798] trunk/Source/JavaScriptCore

[keith_miller]

Title: [203798] trunk/Source/_javascript_Core

Revision

203798

Author

keith_mil...@apple.com

Date

2016-07-27 14:59:02 -0700 (Wed, 27 Jul 2016)

Log Message

concatAppendOne should allocate using the indexing type of the array if it cannot merge
https://bugs.webkit.org/show_bug.cgi?id=160261
<rdar://problem/27530122>

Reviewed by Mark Lam.

Before, if we could not merge the indexing types for copying, we would allocate the
the array as ArrayWithUndecided. Instead, we should allocate an array with the original
array's indexing type.

* runtime/ArrayPrototype.cpp:
(JSC::concatAppendOne):
* tests/stress/concat-append-one-with-sparse-array.js: Added.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp

Added Paths

• trunk/Source/_javascript_Core/tests/stress/concat-append-one-with-sparse-array.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (203797 => 203798)

--- trunk/Source/_javascript_Core/ChangeLog	2016-07-27 21:51:49 UTC (rev 203797)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-07-27 21:59:02 UTC (rev 203798)
@@ -1,3 +1,19 @@
+2016-07-27  Keith Miller  <keith_mil...@apple.com>
+
+        concatAppendOne should allocate using the indexing type of the array if it cannot merge
+        https://bugs.webkit.org/show_bug.cgi?id=160261
+        <rdar://problem/27530122>
+
+        Reviewed by Mark Lam.
+
+        Before, if we could not merge the indexing types for copying, we would allocate the
+        the array as ArrayWithUndecided. Instead, we should allocate an array with the original
+        array's indexing type.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::concatAppendOne):
+        * tests/stress/concat-append-one-with-sparse-array.js: Added.
+
 2016-07-27  Saam Barati  <sbar...@apple.com>
 
         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols

Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (203797 => 203798)

--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2016-07-27 21:51:49 UTC (rev 203797)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2016-07-27 21:59:02 UTC (rev 203798)
@@ -1125,7 +1125,7 @@
 
     IndexingType type = first->mergeIndexingTypeForCopying(indexingTypeForValue(second) | IsArray);
     if (type == NonArray)
-        type = ArrayWithUndecided;
+        type = first->indexingType();
 
     Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
     JSArray* result = JSArray::create(vm, resultStructure, firstArraySize + 1);

Added: trunk/Source/_javascript_Core/tests/stress/concat-append-one-with-sparse-array.js (0 => 203798)

--- trunk/Source/_javascript_Core/tests/stress/concat-append-one-with-sparse-array.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/concat-append-one-with-sparse-array.js	2016-07-27 21:59:02 UTC (rev 203798)
@@ -0,0 +1,6 @@
+//@ skip
+
+let length = 0x10001000;
+
+let foo = new Array(length);
+foo.concat(1);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes