[webkit-changes] [134266] branches/safari-536.28-branch/Source/JavaScriptCore

Mon, 12 Nov 2012 11:22:46 -0800

Title: [134266] branches/safari-536.28-branch/Source/_javascript_Core

Diff

Modified: branches/safari-536.28-branch/Source/_javascript_Core/ChangeLog (134265 => 134266)


--- branches/safari-536.28-branch/Source/_javascript_Core/ChangeLog	2012-11-12 19:20:26 UTC (rev 134265)
+++ branches/safari-536.28-branch/Source/_javascript_Core/ChangeLog	2012-11-12 19:24:18 UTC (rev 134266)
@@ -1,3 +1,23 @@
+2012-11-12  Lucas Forschler  <[email protected]>
+
+        Merge r129577
+
+    2012-09-25  Filip Pizlo  <[email protected]>
+
+            We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
+            https://bugs.webkit.org/show_bug.cgi?id=97603
+            <rdar://problem/12370864>
+
+            Reviewed by Gavin Barraclough.
+
+            You changed the length behind our backs? No optimizations for you then!
+
+            * runtime/ArrayPrototype.cpp:
+            (JSC::shift):
+            (JSC::unshift):
+            * runtime/JSArray.cpp:
+            (JSC::JSArray::shiftCount):
+
 2012-11-09  Lucas Forschler  <[email protected]>
 
         Merge r126624
@@ -69238,3 +69258,4 @@
 .
 .
 .
+.

Modified: branches/safari-536.28-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (134265 => 134266)


--- branches/safari-536.28-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2012-11-12 19:20:26 UTC (rev 134265)
+++ branches/safari-536.28-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2012-11-12 19:24:18 UTC (rev 134266)
@@ -190,8 +190,11 @@
     ASSERT(header <= length);
     ASSERT(currentCount <= (length - header));
 
-    if (!header && isJSArray(thisObj) && asArray(thisObj)->shiftCount(exec, count))
-        return;
+    if (!header && isJSArray(thisObj)) {
+        JSArray* array = asArray(thisObj);
+        if (array->length() == length && asArray(thisObj)->shiftCount(exec, count))
+            return;
+    }
 
     for (unsigned k = header; k < length - currentCount; ++k) {
         unsigned from = k + currentCount;
@@ -230,8 +233,11 @@
         return;
     }
 
-    if (!header && isJSArray(thisObj) && asArray(thisObj)->unshiftCount(exec, count))
-        return;
+    if (!header && isJSArray(thisObj)) {
+        JSArray* array = asArray(thisObj);
+        if (array->length() == length && asArray(thisObj)->unshiftCount(exec, count))
+            return;
+    }
 
     for (unsigned k = length - currentCount; k > header; --k) {
         unsigned from = k + currentCount - 1;

Modified: branches/safari-536.28-branch/Source/_javascript_Core/runtime/JSArray.cpp (134265 => 134266)


--- branches/safari-536.28-branch/Source/_javascript_Core/runtime/JSArray.cpp	2012-11-12 19:20:26 UTC (rev 134265)
+++ branches/safari-536.28-branch/Source/_javascript_Core/runtime/JSArray.cpp	2012-11-12 19:24:18 UTC (rev 134266)
@@ -1310,6 +1310,7 @@
     ArrayStorage* storage = m_storage;
     
     unsigned oldLength = storage->m_length;
+    ASSERT(count <= oldLength);
     
     // If the array contains holes or is otherwise in an abnormal state,
     // use the generic algorithm in ArrayPrototype.

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to