Title: [232138] trunk
- Revision
- 232138
- Author
- [email protected]
- Date
- 2018-05-23 17:47:35 -0700 (Wed, 23 May 2018)
Log Message
Define length on CoW array should properly convert to writable
https://bugs.webkit.org/show_bug.cgi?id=185927
Reviewed by Yusuke Suzuki.
JSTests:
* stress/cow-define-length-as-value.js: Added.
(test):
Source/_javascript_Core:
* runtime/JSArray.cpp:
(JSC::JSArray::setLength):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (232137 => 232138)
--- trunk/JSTests/ChangeLog 2018-05-24 00:05:54 UTC (rev 232137)
+++ trunk/JSTests/ChangeLog 2018-05-24 00:47:35 UTC (rev 232138)
@@ -1,3 +1,13 @@
+2018-05-23 Keith Miller <[email protected]>
+
+ Define length on CoW array should properly convert to writable
+ https://bugs.webkit.org/show_bug.cgi?id=185927
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/cow-define-length-as-value.js: Added.
+ (test):
+
2018-05-23 Michael Saboff <[email protected]>
Date.parse() doesn't properly handle input outside of ES Spec limits
Added: trunk/JSTests/stress/cow-define-length-as-value.js (0 => 232138)
--- trunk/JSTests/stress/cow-define-length-as-value.js (rev 0)
+++ trunk/JSTests/stress/cow-define-length-as-value.js 2018-05-24 00:47:35 UTC (rev 232138)
@@ -0,0 +1,19 @@
+function test(create) {
+ // Set length to be smaller.
+ Object.defineProperty(create(), "length", { value: 1 });
+
+ // Set length to be bigger.
+ Object.defineProperty(create(), "length", { value: 4 });
+
+ // Set length to be the same size
+ Object.defineProperty(create(), "length", { value: 3 });
+}
+
+// Test Int32.
+test(() => [1, 2]);
+// Test double
+test(() => [1.123, 2.50934]);
+// Test contiguous via NaN
+test(() => [NaN, 2.50934]);
+// Test contiguous via string
+test(() => ["test", "42"]);
Modified: trunk/Source/_javascript_Core/ChangeLog (232137 => 232138)
--- trunk/Source/_javascript_Core/ChangeLog 2018-05-24 00:05:54 UTC (rev 232137)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-05-24 00:47:35 UTC (rev 232138)
@@ -1,5 +1,15 @@
2018-05-23 Keith Miller <[email protected]>
+ Define length on CoW array should properly convert to writable
+ https://bugs.webkit.org/show_bug.cgi?id=185927
+
+ Reviewed by Yusuke Suzuki.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::setLength):
+
+2018-05-23 Keith Miller <[email protected]>
+
InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
https://bugs.webkit.org/show_bug.cgi?id=185923
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (232137 => 232138)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-05-24 00:05:54 UTC (rev 232137)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-05-24 00:47:35 UTC (rev 232138)
@@ -568,7 +568,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
Butterfly* butterfly = this->butterfly();
- switch (indexingType()) {
+ switch (indexingMode()) {
case ArrayClass:
if (!newLength)
return true;
@@ -581,6 +581,15 @@
createInitialUndecided(vm, newLength);
return true;
+ case CopyOnWriteArrayWithInt32:
+ case CopyOnWriteArrayWithDouble:
+ case CopyOnWriteArrayWithContiguous:
+ if (newLength == butterfly->publicLength())
+ return true;
+ convertFromCopyOnWrite(vm);
+ butterfly = this->butterfly();
+ FALLTHROUGH;
+
case ArrayWithUndecided:
case ArrayWithInt32:
case ArrayWithDouble:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
