[webkit-changes] [132953] trunk/Source/JavaScriptCore

Tue, 30 Oct 2012 16:10:35 -0700

Title: [132953] trunk/Source/_javascript_Core
Revision
132953
Author
[email protected]
Date
2012-10-30 16:11:59 -0700 (Tue, 30 Oct 2012)

Log Message

Arrays can change IndexingType in the middle of sorting
https://bugs.webkit.org/show_bug.cgi?id=100773

Reviewed by Filip Pizlo.

Instead of giving up, we just fetch the appropriate vector based on the current
IndexingType of the array.

* runtime/JSArray.cpp:
(JSC::JSArray::sortVector):
* runtime/JSObject.h:
(JSObject):
(JSC::JSObject::currentIndexingData):
(JSC::JSObject::currentRelevantLength):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (132952 => 132953)


--- trunk/Source/_javascript_Core/ChangeLog	2012-10-30 22:55:23 UTC (rev 132952)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-10-30 23:11:59 UTC (rev 132953)
@@ -1,3 +1,20 @@
+2012-10-30  Mark Hahnenberg  <[email protected]>
+
+        Arrays can change IndexingType in the middle of sorting
+        https://bugs.webkit.org/show_bug.cgi?id=100773
+
+        Reviewed by Filip Pizlo.
+
+        Instead of giving up, we just fetch the appropriate vector based on the current 
+        IndexingType of the array.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::sortVector):
+        * runtime/JSObject.h:
+        (JSObject):
+        (JSC::JSObject::currentIndexingData):
+        (JSC::JSObject::currentRelevantLength):
+
 2012-10-29  Anders Carlsson  <[email protected]>
 
         Build WebKit as C++11 on Mac

Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (132952 => 132953)


--- trunk/Source/_javascript_Core/runtime/JSArray.cpp	2012-10-30 22:55:23 UTC (rev 132952)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp	2012-10-30 23:11:59 UTC (rev 132953)
@@ -1092,7 +1092,7 @@
     for (; numDefined < usedVectorLength; ++numDefined) {
         if (numDefined > m_butterfly->vectorLength())
             break;
-        JSValue v = indexingData<indexingType>()[numDefined].get();
+        JSValue v = currentIndexingData()[numDefined].get();
         if (!v || v.isUndefined())
             break;
         tree.abstractor().m_nodes[numDefined].value = v;
@@ -1101,7 +1101,7 @@
     for (unsigned i = numDefined; i < usedVectorLength; ++i) {
         if (i > m_butterfly->vectorLength())
             break;
-        JSValue v = indexingData<indexingType>()[i].get();
+        JSValue v = currentIndexingData()[i].get();
         if (v) {
             if (v.isUndefined())
                 ++numUndefined;
@@ -1116,7 +1116,7 @@
     unsigned newUsedVectorLength = numDefined + numUndefined;
         
     // The array size may have changed. Figure out the new bounds.
-    unsigned newestUsedVectorLength = relevantLength<indexingType>();
+    unsigned newestUsedVectorLength = currentRelevantLength();
         
     unsigned elementsToExtractThreshold = min(min(newestUsedVectorLength, numDefined), static_cast<unsigned>(tree.abstractor().m_nodes.size()));
     unsigned undefinedElementsThreshold = min(newestUsedVectorLength, newUsedVectorLength);
@@ -1127,18 +1127,18 @@
     iter.start_iter_least(tree);
     JSGlobalData& globalData = exec->globalData();
     for (unsigned i = 0; i < elementsToExtractThreshold; ++i) {
-        indexingData<indexingType>()[i].set(globalData, this, tree.abstractor().m_nodes[*iter].value);
+        currentIndexingData()[i].set(globalData, this, tree.abstractor().m_nodes[*iter].value);
         ++iter;
     }
     // Put undefined values back in.
     for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i)
-        indexingData<indexingType>()[i].setUndefined();
+        currentIndexingData()[i].setUndefined();
 
     // Ensure that unused values in the vector are zeroed out.
     for (unsigned i = undefinedElementsThreshold; i < clearElementsThreshold; ++i)
-        indexingData<indexingType>()[i].clear();
+        currentIndexingData()[i].clear();
     
-    if (hasArrayStorage(indexingType))
+    if (hasArrayStorage(structure()->indexingType()))
         arrayStorage()->m_numValuesInVector = newUsedVectorLength;
 }

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (132952 => 132953)


--- trunk/Source/_javascript_Core/runtime/JSObject.h	2012-10-30 22:55:23 UTC (rev 132952)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2012-10-30 23:11:59 UTC (rev 132953)
@@ -717,6 +717,21 @@
                 return 0;
             }
         }
+
+        WriteBarrier<Unknown>* currentIndexingData()
+        {
+            switch (structure()->indexingType()) {
+            case ALL_CONTIGUOUS_INDEXING_TYPES:
+                return m_butterfly->contiguous();
+
+            case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+                return m_butterfly->arrayStorage()->m_vector;
+
+            default:
+                CRASH();
+                return 0;
+            }
+        }
         
         template<IndexingType indexingType>
         unsigned relevantLength()
@@ -736,6 +751,23 @@
             }
         }
 
+        unsigned currentRelevantLength()
+        {
+            switch (structure()->indexingType()) {
+            case ALL_CONTIGUOUS_INDEXING_TYPES:
+                return m_butterfly->publicLength();
+
+            case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+                return std::min(
+                    m_butterfly->arrayStorage()->length(),
+                    m_butterfly->arrayStorage()->vectorLength());
+
+            default:
+                CRASH();
+                return 0;
+            }
+        }
+
     private:
         friend class LLIntOffsetsExtractor;
         

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to