diff options
| author | jkummerow@chromium.org <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00> | 2014-06-24 14:13:26 +0000 |
|---|---|---|
| committer | jkummerow@chromium.org <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00> | 2014-06-24 14:13:26 +0000 |
| commit | 84b86472bb519c85690c1cc7996b02ab618c0d16 (patch) | |
| tree | e986d2dd8aef86bed2ffc5386d86e2fbe9c70af5 | |
| parent | ca39d836d353ba00c29d6260fda046d406c0571b (diff) | |
| download | v8-84b86472bb519c85690c1cc7996b02ab618c0d16.tar.gz | |
Version 3.27.34.2 (merged r21903)
Array.concat: properly go to dictionary mode when required
BUG=chromium:387031
LOG=N
R=danno@chromium.org
Review URL: https://codereview.chromium.org/354623002
git-svn-id: https://v8.googlecode.com/svn/branches/3.27@21976 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
| -rw-r--r-- | src/runtime.cc | 12 | ||||
| -rw-r--r-- | src/version.cc | 2 | ||||
| -rw-r--r-- | test/mjsunit/regress/regress-crbug-387031.js | 15 |
3 files changed, 26 insertions, 3 deletions
diff --git a/src/runtime.cc b/src/runtime.cc index b97af64f8..15e1adaf0 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -10034,7 +10034,7 @@ class ArrayConcatVisitor { // getters on the arrays increasing the length of later arrays // during iteration. // This shouldn't happen in anything but pathological cases. - SetDictionaryMode(index); + SetDictionaryMode(); // Fall-through to dictionary mode. } ASSERT(!fast_elements_); @@ -10055,6 +10055,14 @@ class ArrayConcatVisitor { } else { index_offset_ += delta; } + // If the initial length estimate was off (see special case in visit()), + // but the array blowing the limit didn't contain elements beyond the + // provided-for index range, go to dictionary mode now. + if (fast_elements_ && + index_offset_ >= static_cast<uint32_t>( + FixedArrayBase::cast(*storage_)->length())) { + SetDictionaryMode(); + } } bool exceeds_array_limit() { @@ -10076,7 +10084,7 @@ class ArrayConcatVisitor { private: // Convert storage to dictionary mode. - void SetDictionaryMode(uint32_t index) { + void SetDictionaryMode() { ASSERT(fast_elements_); Handle<FixedArray> current_storage(*storage_); Handle<SeededNumberDictionary> slow_storage( diff --git a/src/version.cc b/src/version.cc index 2ae3ae6e9..a17db9c8d 100644 --- a/src/version.cc +++ b/src/version.cc @@ -35,7 +35,7 @@ #define MAJOR_VERSION 3 #define MINOR_VERSION 27 #define BUILD_NUMBER 34 -#define PATCH_LEVEL 1 +#define PATCH_LEVEL 2 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) #define IS_CANDIDATE_VERSION 0 diff --git a/test/mjsunit/regress/regress-crbug-387031.js b/test/mjsunit/regress/regress-crbug-387031.js new file mode 100644 index 000000000..77f52a9d3 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-387031.js @@ -0,0 +1,15 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +a = [1]; +b = []; +a.__defineGetter__(0, function () { + b.length = 0xffffffff; +}); +c = a.concat(b); +for (var i = 0; i < 20; i++) { + assertEquals(undefined, (c[i])); +} |