Modified: branches/safari-606-branch/JSTests/ChangeLog (234305 => 234306)
--- branches/safari-606-branch/JSTests/ChangeLog 2018-07-27 06:02:19 UTC (rev 234305)
+++ branches/safari-606-branch/JSTests/ChangeLog 2018-07-27 06:02:22 UTC (rev 234306)
@@ -1,3 +1,38 @@
+2018-07-26 Babak Shafiei <[email protected]>
+
+ Cherry-pick r234269. rdar://problem/42650430
+
+ arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
+ https://bugs.webkit.org/show_bug.cgi?id=188065
+ <rdar://problem/42515726>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/regress-188065.js: Added.
+
+ Source/_javascript_Core:
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::clearElement):
+ (JSC::copyElements):
+ (JSC::arrayProtoPrivateFuncConcatMemcpy):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234269 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-07-26 Mark Lam <[email protected]>
+
+ arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
+ https://bugs.webkit.org/show_bug.cgi?id=188065
+ <rdar://problem/42515726>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-188065.js: Added.
+
2018-07-23 Babak Shafiei <[email protected]>
Cherry-pick r234075. rdar://problem/42451525
Added: branches/safari-606-branch/JSTests/stress/regress-188065.js (0 => 234306)
--- branches/safari-606-branch/JSTests/stress/regress-188065.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/regress-188065.js 2018-07-27 06:02:22 UTC (rev 234306)
@@ -0,0 +1,8 @@
+function test() {
+ var arr = new Array(400);
+ arr.concat([1.1]);
+}
+noInline(test);
+
+for (var i = 0; i < 10000; i++)
+ test();
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (234305 => 234306)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-07-27 06:02:19 UTC (rev 234305)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-07-27 06:02:22 UTC (rev 234306)
@@ -1,5 +1,43 @@
2018-07-26 Babak Shafiei <[email protected]>
+ Cherry-pick r234269. rdar://problem/42650430
+
+ arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
+ https://bugs.webkit.org/show_bug.cgi?id=188065
+ <rdar://problem/42515726>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/regress-188065.js: Added.
+
+ Source/_javascript_Core:
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::clearElement):
+ (JSC::copyElements):
+ (JSC::arrayProtoPrivateFuncConcatMemcpy):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234269 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-07-26 Mark Lam <[email protected]>
+
+ arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
+ https://bugs.webkit.org/show_bug.cgi?id=188065
+ <rdar://problem/42515726>
+
+ Reviewed by Saam Barati.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::clearElement):
+ (JSC::copyElements):
+ (JSC::arrayProtoPrivateFuncConcatMemcpy):
+
+2018-07-26 Babak Shafiei <[email protected]>
+
Cherry-pick r234272. rdar://problem/42645434
Unreviewed, rolling out r234181 and r234189.
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (234305 => 234306)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-07-27 06:02:19 UTC (rev 234305)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-07-27 06:02:22 UTC (rev 234306)
@@ -1292,7 +1292,30 @@
}
+template<typename T>
+void clearElement(T& element)
+{
+ element.clear();
+}
+template<>
+void clearElement(double& element)
+{
+ element = PNaN;
+}
+
+template<typename T>
+ALWAYS_INLINE void copyElements(T* buffer, unsigned offset, void* source, unsigned sourceSize, IndexingType sourceType)
+{
+ if (sourceType != ArrayWithUndecided) {
+ memcpy(buffer + offset, source, sizeof(JSValue) * sourceSize);
+ return;
+ }
+
+ for (unsigned i = sourceSize; i--;)
+ clearElement<T>(buffer[i + offset]);
+};
+
EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)
{
ASSERT(exec->argumentCount() == 2);
@@ -1367,26 +1390,16 @@
throwOutOfMemoryError(exec, scope);
return encodedJSValue();
}
-
+
if (type == ArrayWithDouble) {
double* buffer = result->butterfly()->contiguousDouble().data();
- memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
- memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);
+ copyElements(buffer, 0, firstButterfly->contiguousDouble().data(), firstArraySize, firstType);
+ copyElements(buffer, firstArraySize, secondButterfly->contiguousDouble().data(), secondArraySize, secondType);
+
} else if (type != ArrayWithUndecided) {
WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
-
- auto copy = [&] (unsigned offset, void* source, unsigned size, IndexingType type) {
- if (type != ArrayWithUndecided) {
- memcpy(buffer + offset, source, sizeof(JSValue) * size);
- return;
- }
-
- for (unsigned i = size; i--;)
- buffer[i + offset].clear();
- };
-
- copy(0, firstButterfly->contiguous().data(), firstArraySize, firstType);
- copy(firstArraySize, secondButterfly->contiguous().data(), secondArraySize, secondType);
+ copyElements(buffer, 0, firstButterfly->contiguous().data(), firstArraySize, firstType);
+ copyElements(buffer, firstArraySize, secondButterfly->contiguous().data(), secondArraySize, secondType);
}
result->butterfly()->setPublicLength(resultSize);
