[v8-dev] Fix Array.filter to use internal array for result. (issue 8353006)

[mstarzinger]

Reviewers: Sven,

Message:
PTAL.
Description:
Fix Array.filter to use internal array for result.

In built-in code we use arrays for internal computations. This makes it
possible to affect the built-in code by putting getters or setters on
the array prototype chain. Using internal arrays prevents those issues.

Related to: http://code.google.com/p/v8/source/detail?r=7040

R=svenpa...@chromium.org
TEST=test262/15.4.4.20-9-b-6

Please review this at http://codereview.chromium.org/8353006/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/array.js
  M test/test262/test262.status


Index: src/array.js
diff --git a/src/array.js b/src/array.js
index  
74868e746ba07cd61d0c33cd2061f2111c6e21b5..214065c7bf3b087c5d8f61f54cc3f955efff619d  
100644
--- a/src/array.js
+++ b/src/array.js
@@ -1017,16 +1017,18 @@ function ArrayFilter(f, receiver) {
     receiver = ToObject(receiver);
   }

-  var result = [];
-  var result_length = 0;
+  var result = new $Array();
+  var accumulator = new InternalArray();
+  var accumulator_length = 0;
   for (var i = 0; i < length; i++) {
     var current = array[i];
     if (!IS_UNDEFINED(current) || i in array) {
       if (%_CallFunction(receiver, current, i, array, f)) {
-        result[result_length++] = current;
+        accumulator[accumulator_length++] = current;
       }
     }
   }
+  %MoveArrayContents(accumulator, result);
   return result;
 }

Index: test/test262/test262.status
diff --git a/test/test262/test262.status b/test/test262/test262.status
index  
20d5b55d5622f43cfd7894a80365b643189152bb..2ba0f1530bc109ee561ea193ef7525514f2cc516  
100644
--- a/test/test262/test262.status
+++ b/test/test262/test262.status
@@ -466,24 +466,9 @@ S15.4.4.3_A2_T1: FAIL_OK
 # Bug? Array.prototype.map - decreasing length of array does not delete
 #      non-configurable properties
 15.4.4.19-8-b-16: FAIL
-# Bug? Array.prototype.filter - properties can be added to prototype after
-#      current position are visited on an Array-like object
-15.4.4.20-9-b-6: FAIL
 # Bug? Array.prototype.filter - decreasing length of array does not delete
 #      non-configurable properties
 15.4.4.20-9-b-16: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is own data  
property
-#      that overrides an inherited accessor property on an Array
-15.4.4.20-9-c-i-6: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is own accessor  
property
-#      that overrides an inherited accessor property on an Array
-15.4.4.20-9-c-i-14: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is inherited  
accessor
-#      property on an Array
-15.4.4.20-9-c-i-16: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is inherited  
accessor
-#      property without a get function on an Array
-15.4.4.20-9-c-i-22: FAIL
 # Bug? Array.prototype.reduce - decreasing length of array in step 8 does  
not
 #      delete non-configurable properties
 15.4.4.21-9-b-16: FAIL


--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev