[webkit-changes] [262088] trunk

[shvaikalesh]

Title: [262088] trunk

Revision

262088

Author

shvaikal...@gmail.com

Date

2020-05-22 16:50:26 -0700 (Fri, 22 May 2020)

Log Message

Array.prototype.splice doesn't set "length" of returned object
https://bugs.webkit.org/show_bug.cgi?id=212285

Reviewed by Darin Adler.

JSTests:

* test262/expectations.yaml: Mark 2 test cases as passing.

Source/_javascript_Core:

This change implements step 12 of Array.prototype.splice [1], which is observable
if result object is not JSArray, aligning JSC with V8 and SpiderMonkey.

Only slow path of splice() is affected by this patch; zero-argument case already
performs setLength(). Microbenchmarks are neutral.

[1]: https://tc39.es/ecma262/#sec-array.prototype.splice

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/JSTests/test262/expectations.yaml
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp

Diff

Modified: trunk/JSTests/ChangeLog (262087 => 262088)

--- trunk/JSTests/ChangeLog	2020-05-22 23:21:27 UTC (rev 262087)
+++ trunk/JSTests/ChangeLog	2020-05-22 23:50:26 UTC (rev 262088)
@@ -1,3 +1,12 @@
+2020-05-22  Alexey Shvayka  <shvaikal...@gmail.com>
+
+        Array.prototype.splice doesn't set "length" of returned object
+        https://bugs.webkit.org/show_bug.cgi?id=212285
+
+        Reviewed by Darin Adler.
+
+        * test262/expectations.yaml: Mark 2 test cases as passing.
+
 2020-05-22  Saam Barati  <sbar...@apple.com>
 
         in_by_val inside structure property for-in loop should use an opcode like has_structure_property but for "in"

Modified: trunk/JSTests/test262/expectations.yaml (262087 => 262088)

--- trunk/JSTests/test262/expectations.yaml	2020-05-22 23:21:27 UTC (rev 262087)
+++ trunk/JSTests/test262/expectations.yaml	2020-05-22 23:50:26 UTC (rev 262088)
@@ -636,9 +636,6 @@
 test/annexB/language/statements/function/default-parameters-emulates-undefined.js:
   default: 'Test262Error: Expected SameValue(«undefined», «[object Function]») to be true'
   strict mode: 'Test262Error: Expected SameValue(«undefined», «[object Function]») to be true'
-test/built-ins/Array/prototype/splice/property-traps-order-with-species.js:
-  default: 'Test262Error: Expected [defineProperty, defineProperty, set, getOwnPropertyDescriptor, defineProperty] and [defineProperty, defineProperty] to have the same contents. '
-  strict mode: 'Test262Error: Expected [defineProperty, defineProperty, set, getOwnPropertyDescriptor, defineProperty] and [defineProperty, defineProperty] to have the same contents. '
 test/built-ins/ArrayBuffer/prototype/byteLength/detached-buffer.js:
   default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
   strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'

Modified: trunk/Source/_javascript_Core/ChangeLog (262087 => 262088)

--- trunk/Source/_javascript_Core/ChangeLog	2020-05-22 23:21:27 UTC (rev 262087)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-05-22 23:50:26 UTC (rev 262088)
@@ -1,3 +1,21 @@
+2020-05-22  Alexey Shvayka  <shvaikal...@gmail.com>
+
+        Array.prototype.splice doesn't set "length" of returned object
+        https://bugs.webkit.org/show_bug.cgi?id=212285
+
+        Reviewed by Darin Adler.
+
+        This change implements step 12 of Array.prototype.splice [1], which is observable
+        if result object is not JSArray, aligning JSC with V8 and SpiderMonkey.
+
+        Only slow path of splice() is affected by this patch; zero-argument case already
+        performs setLength(). Microbenchmarks are neutral.
+
+        [1]: https://tc39.es/ecma262/#sec-array.prototype.splice
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSplice):
+
 2020-05-22  Saam Barati  <sbar...@apple.com>
 
         in_by_val inside structure property for-in loop should use an opcode like has_structure_property but for "in"

Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (262087 => 262088)

--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2020-05-22 23:21:27 UTC (rev 262087)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2020-05-22 23:50:26 UTC (rev 262088)
@@ -1217,6 +1217,8 @@
             result->putDirectIndex(globalObject, k, v, 0, PutDirectIndexShouldThrow);
             RETURN_IF_EXCEPTION(scope, encodedJSValue());
         }
+        setLength(globalObject, vm, result, actualDeleteCount);
+        RETURN_IF_EXCEPTION(scope, { });
     }
 
     if (itemCount < actualDeleteCount) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes