[webkit-changes] [222598] trunk

Wed, 27 Sep 2017 21:19:41 -0700

Title: [222598] trunk
Revision
222598
Author
[email protected]
Date
2017-09-27 21:19:13 -0700 (Wed, 27 Sep 2017)

Log Message

JSArray::canFastCopy() should fail if the source and destination arrays are the same.
https://bugs.webkit.org/show_bug.cgi?id=177584
<rdar://problem/34463903>

Reviewed by Saam Barati.

JSTests:

* stress/regress-177584.js: Added.
(assertEqual):
(Array.prototype.Symbol.species):

Source/_javascript_Core:

If the source and destination arrays are the same, we may be copying overlapping
regions.  Hence, we need to take the slow path.

* runtime/JSArrayInlines.h:
(JSC::JSArray::canFastCopy):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (222597 => 222598)


--- trunk/JSTests/ChangeLog	2017-09-28 03:58:19 UTC (rev 222597)
+++ trunk/JSTests/ChangeLog	2017-09-28 04:19:13 UTC (rev 222598)
@@ -1,3 +1,15 @@
+2017-09-27  Mark Lam  <[email protected]>
+
+        JSArray::canFastCopy() should fail if the source and destination arrays are the same.
+        https://bugs.webkit.org/show_bug.cgi?id=177584
+        <rdar://problem/34463903>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-177584.js: Added.
+        (assertEqual):
+        (Array.prototype.Symbol.species):
+
 2017-09-27  Saam Barati  <[email protected]>
 
         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure

Added: trunk/JSTests/stress/regress-177584.js (0 => 222598)


--- trunk/JSTests/stress/regress-177584.js	                        (rev 0)
+++ trunk/JSTests/stress/regress-177584.js	2017-09-28 04:19:13 UTC (rev 222598)
@@ -0,0 +1,18 @@
+function assertEqual(actual, expected) {
+    if (actual != expected)
+        throw "Failed: actual: " + actual + ", expected: " + expected;
+}
+
+var a0 = [,,,,,,,,,,,,,];
+
+Array.prototype.constructor = {
+    [Symbol.species]: function() {
+        return a0;
+    }
+}
+
+var a1 = [1,2,3,4];
+var a2 = a1.concat(a0);
+
+assertEqual(a0, a2);
+assertEqual(a0, "1,2,3,4,1,2,3,4,1,2,3,4,1,2,3,4,1");

Modified: trunk/Source/_javascript_Core/ChangeLog (222597 => 222598)


--- trunk/Source/_javascript_Core/ChangeLog	2017-09-28 03:58:19 UTC (rev 222597)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-09-28 04:19:13 UTC (rev 222598)
@@ -1,3 +1,17 @@
+2017-09-27  Mark Lam  <[email protected]>
+
+        JSArray::canFastCopy() should fail if the source and destination arrays are the same.
+        https://bugs.webkit.org/show_bug.cgi?id=177584
+        <rdar://problem/34463903>
+
+        Reviewed by Saam Barati.
+
+        If the source and destination arrays are the same, we may be copying overlapping
+        regions.  Hence, we need to take the slow path.
+
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::canFastCopy):
+
 2017-09-27  Saam Barati  <[email protected]>
 
         Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure

Modified: trunk/Source/_javascript_Core/runtime/JSArrayInlines.h (222597 => 222598)


--- trunk/Source/_javascript_Core/runtime/JSArrayInlines.h	2017-09-28 03:58:19 UTC (rev 222597)
+++ trunk/Source/_javascript_Core/runtime/JSArrayInlines.h	2017-09-28 04:19:13 UTC (rev 222598)
@@ -58,6 +58,8 @@
 
 inline bool JSArray::canFastCopy(VM& vm, JSArray* otherArray)
 {
+    if (otherArray == this)
+        return false;
     if (hasAnyArrayStorage(indexingType()) || hasAnyArrayStorage(otherArray->indexingType()))
         return false;
     // FIXME: We should have a watchpoint for indexed properties on Array.prototype and Object.prototype

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to