Title: [129577] trunk/Source/_javascript_Core
- Revision
- 129577
- Author
- [email protected]
- Date
- 2012-09-25 17:22:44 -0700 (Tue, 25 Sep 2012)
Log Message
We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
https://bugs.webkit.org/show_bug.cgi?id=97603
<rdar://problem/12370864>
Reviewed by Gavin Barraclough.
You changed the length behind our backs? No optimizations for you then!
* runtime/ArrayPrototype.cpp:
(JSC::shift):
(JSC::unshift):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCount):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (129576 => 129577)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-26 00:03:27 UTC (rev 129576)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-26 00:22:44 UTC (rev 129577)
@@ -1,5 +1,21 @@
2012-09-25 Filip Pizlo <[email protected]>
+ We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
+ https://bugs.webkit.org/show_bug.cgi?id=97603
+ <rdar://problem/12370864>
+
+ Reviewed by Gavin Barraclough.
+
+ You changed the length behind our backs? No optimizations for you then!
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::shift):
+ (JSC::unshift):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::shiftCount):
+
+2012-09-25 Filip Pizlo <[email protected]>
+
JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode
https://bugs.webkit.org/show_bug.cgi?id=95610
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (129576 => 129577)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2012-09-26 00:03:27 UTC (rev 129576)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2012-09-26 00:22:44 UTC (rev 129577)
@@ -202,8 +202,11 @@
ASSERT(header <= length);
ASSERT(currentCount <= (length - header));
- if (!header && isJSArray(thisObj) && asArray(thisObj)->shiftCount(exec, count))
- return;
+ if (!header && isJSArray(thisObj)) {
+ JSArray* array = asArray(thisObj);
+ if (array->length() == length && asArray(thisObj)->shiftCount(exec, count))
+ return;
+ }
for (unsigned k = header; k < length - currentCount; ++k) {
unsigned from = k + currentCount;
@@ -242,8 +245,11 @@
return;
}
- if (!header && isJSArray(thisObj) && asArray(thisObj)->unshiftCount(exec, count))
- return;
+ if (!header && isJSArray(thisObj)) {
+ JSArray* array = asArray(thisObj);
+ if (array->length() == length && asArray(thisObj)->unshiftCount(exec, count))
+ return;
+ }
for (unsigned k = length - currentCount; k > header; --k) {
unsigned from = k + currentCount - 1;
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (129576 => 129577)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2012-09-26 00:03:27 UTC (rev 129576)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2012-09-26 00:22:44 UTC (rev 129577)
@@ -499,6 +499,7 @@
ArrayStorage* storage = ensureArrayStorage(exec->globalData());
unsigned oldLength = storage->length();
+ ASSERT(count <= oldLength);
// If the array contains holes or is otherwise in an abnormal state,
// use the generic algorithm in ArrayPrototype.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
