[webkit-changes] [266581] trunk

[shvaikalesh]

Title: [266581] trunk

Revision

266581

Author

shvaikal...@gmail.com

Date

2020-09-04 01:05:35 -0700 (Fri, 04 Sep 2020)

Log Message

Array.prototype.push should always perform [[Set]] in strict mode
https://bugs.webkit.org/show_bug.cgi?id=216121

Reviewed by Darin Adler.

JSTests:

* test262/expectations.yaml: Mark 2 test cases as passing.

Source/_javascript_Core:

This patch fixes arrayProtoFuncPush() to throw a TypeError if putting an
index beyond UINT32_MAX has failed, aligning JSC with the spec [1], V8,
and SpiderMonkey. Also, refactors the method leveraging putByIndexInline().

Array.prototype.push microbenchmarks, including varargs tests, are neutral.

[1]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.b)

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncPush):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/JSTests/test262/expectations.yaml
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp

Diff

Modified: trunk/JSTests/ChangeLog (266580 => 266581)

--- trunk/JSTests/ChangeLog	2020-09-04 07:02:27 UTC (rev 266580)
+++ trunk/JSTests/ChangeLog	2020-09-04 08:05:35 UTC (rev 266581)
@@ -1,3 +1,12 @@
+2020-09-04  Alexey Shvayka  <shvaikal...@gmail.com>
+
+        Array.prototype.push should always perform [[Set]] in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=216121
+
+        Reviewed by Darin Adler.
+
+        * test262/expectations.yaml: Mark 2 test cases as passing.
+
 2020-09-02  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] Cache toString / valueOf / @@toPrimitive for major cases

Modified: trunk/JSTests/test262/expectations.yaml (266580 => 266581)

--- trunk/JSTests/test262/expectations.yaml	2020-09-04 07:02:27 UTC (rev 266580)
+++ trunk/JSTests/test262/expectations.yaml	2020-09-04 08:05:35 UTC (rev 266581)
@@ -603,9 +603,6 @@
   default: 'Test262Error: An initialized binding is not created prior to evaluation Expected a ReferenceError to be thrown but no exception was thrown at all'
 test/annexB/language/global-code/switch-dflt-global-skip-early-err.js:
   default: "SyntaxError: Cannot declare a function that shadows a let/const/class/function variable 'f' in strict mode."
-test/built-ins/Array/prototype/push/length-near-integer-limit-set-failure.js:
-  default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
-  strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
 test/built-ins/ArrayBuffer/prototype/byteLength/detached-buffer.js:
   default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'
   strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all'

Modified: trunk/Source/_javascript_Core/ChangeLog (266580 => 266581)

--- trunk/Source/_javascript_Core/ChangeLog	2020-09-04 07:02:27 UTC (rev 266580)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-09-04 08:05:35 UTC (rev 266581)
@@ -1,3 +1,21 @@
+2020-09-04  Alexey Shvayka  <shvaikal...@gmail.com>
+
+        Array.prototype.push should always perform [[Set]] in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=216121
+
+        Reviewed by Darin Adler.
+
+        This patch fixes arrayProtoFuncPush() to throw a TypeError if putting an
+        index beyond UINT32_MAX has failed, aligning JSC with the spec [1], V8,
+        and SpiderMonkey. Also, refactors the method leveraging putByIndexInline().
+
+        Array.prototype.push microbenchmarks, including varargs tests, are neutral.
+
+        [1]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.b)
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncPush):
+
 2020-09-03  Carlos Garcia Campos  <cgar...@igalia.com>
 
         Unreviewed. [GLIB] Add missing return

Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (266580 => 266581)

--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2020-09-04 07:02:27 UTC (rev 266580)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2020-09-04 08:05:35 UTC (rev 266581)
@@ -916,14 +916,8 @@
         return throwVMTypeError(globalObject, scope, "push cannot produce an array of length larger than (2 ** 53) - 1"_s);
 
     for (unsigned n = 0; n < argCount; n++) {
-        if (LIKELY(length + n <= MAX_ARRAY_INDEX))
-            thisObj->methodTable(vm)->putByIndex(thisObj, globalObject, static_cast<uint32_t>(length + n), callFrame->uncheckedArgument(n), true);
-        else {
-            PutPropertySlot slot(thisObj);
-            Identifier propertyName = Identifier::from(vm, length + n);
-            thisObj->methodTable(vm)->put(thisObj, globalObject, propertyName, callFrame->uncheckedArgument(n), slot);
-        }
-        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        thisObj->putByIndexInline(globalObject, static_cast<uint64_t>(length + n), callFrame->uncheckedArgument(n), true);
+        RETURN_IF_EXCEPTION(scope, { });
     }
     
     uint64_t newLength = length + argCount;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes