Title: [215451] trunk
- Revision
- 215451
- Author
- mark....@apple.com
- Date
- 2017-04-17 22:55:41 -0700 (Mon, 17 Apr 2017)
Log Message
JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
https://bugs.webkit.org/show_bug.cgi?id=170896
<rdar://problem/31651319>
Reviewed by JF Bastien and Keith Miller.
JSTests:
* stress/regress-170896.js: Added.
Source/_javascript_Core:
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (215450 => 215451)
--- trunk/JSTests/ChangeLog 2017-04-18 05:37:45 UTC (rev 215450)
+++ trunk/JSTests/ChangeLog 2017-04-18 05:55:41 UTC (rev 215451)
@@ -1,3 +1,13 @@
+2017-04-17 Mark Lam <mark....@apple.com>
+
+ JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
+ https://bugs.webkit.org/show_bug.cgi?id=170896
+ <rdar://problem/31651319>
+
+ Reviewed by JF Bastien and Keith Miller.
+
+ * stress/regress-170896.js: Added.
+
2017-04-16 Joseph Pecoraro <pecor...@apple.com>
test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js
Added: trunk/JSTests/stress/regress-170896.js (0 => 215451)
--- trunk/JSTests/stress/regress-170896.js (rev 0)
+++ trunk/JSTests/stress/regress-170896.js 2017-04-18 05:55:41 UTC (rev 215451)
@@ -0,0 +1,13 @@
+function test() {
+ let a = [,,,,,,,,,];
+ return a.concat();
+}
+noInline(test);
+
+test()[0] = {};
+
+for (let i = 0; i < 20000; ++i) {
+ var result = test();
+ if (result[0])
+ throw result.toString();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (215450 => 215451)
--- trunk/Source/_javascript_Core/ChangeLog 2017-04-18 05:37:45 UTC (rev 215450)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-04-18 05:55:41 UTC (rev 215451)
@@ -1,3 +1,14 @@
+2017-04-17 Mark Lam <mark....@apple.com>
+
+ JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
+ https://bugs.webkit.org/show_bug.cgi?id=170896
+ <rdar://problem/31651319>
+
+ Reviewed by JF Bastien and Keith Miller.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::appendMemcpy):
+
2017-04-17 Joseph Pecoraro <pecor...@apple.com>
Web Inspector: Doesn't show size of compressed content correctly
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (215450 => 215451)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-04-18 05:37:45 UTC (rev 215450)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-04-18 05:55:41 UTC (rev 215451)
@@ -483,7 +483,8 @@
return false;
IndexingType type = indexingType();
- IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
+ IndexingType otherType = otherArray->indexingType();
+ IndexingType copyType = mergeIndexingTypeForCopying(otherType);
if (type == ArrayWithUndecided && copyType != NonArray) {
if (copyType == ArrayWithInt32)
convertUndecidedToInt32(vm);
@@ -517,7 +518,16 @@
}
ASSERT(copyType == indexingType());
- if (type == ArrayWithDouble)
+ if (UNLIKELY(otherType == ArrayWithUndecided)) {
+ auto* butterfly = this->butterfly();
+ if (type == ArrayWithDouble) {
+ for (unsigned i = startIndex; i < newLength; ++i)
+ butterfly->contiguousDouble()[i] = PNaN;
+ } else {
+ for (unsigned i = startIndex; i < newLength; ++i)
+ butterfly->contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
+ }
+ } else if (type == ArrayWithDouble)
memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
else
memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
