Title: [167252] trunk/Source/_javascript_Core
- Revision
- 167252
- Author
- akl...@apple.com
- Date
- 2014-04-14 10:26:28 -0700 (Mon, 14 Apr 2014)
Log Message
Unreviewed, rolling out r167249.
https://bugs.webkit.org/show_bug.cgi?id=131621
broke 3 tests on cloop (Requested by kling on #webkit).
Reverted changeset:
"Array.prototype.concat should allocate output storage only
once."
https://bugs.webkit.org/show_bug.cgi?id=131609
http://trac.webkit.org/changeset/167249
Patch by Commit Queue <commit-qu...@webkit.org> on 2014-04-14
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (167251 => 167252)
--- trunk/Source/_javascript_Core/ChangeLog 2014-04-14 17:17:20 UTC (rev 167251)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-04-14 17:26:28 UTC (rev 167252)
@@ -1,3 +1,17 @@
+2014-04-14 Commit Queue <commit-qu...@webkit.org>
+
+ Unreviewed, rolling out r167249.
+ https://bugs.webkit.org/show_bug.cgi?id=131621
+
+ broke 3 tests on cloop (Requested by kling on #webkit).
+
+ Reverted changeset:
+
+ "Array.prototype.concat should allocate output storage only
+ once."
+ https://bugs.webkit.org/show_bug.cgi?id=131609
+ http://trac.webkit.org/changeset/167249
+
2014-04-14 Alex Christensen <achristen...@webkit.org>
Fixed potential integer truncation.
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (167251 => 167252)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2014-04-14 17:17:20 UTC (rev 167251)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2014-04-14 17:26:28 UTC (rev 167252)
@@ -146,7 +146,7 @@
// ------------------------------ Array Functions ----------------------------
// Helper function
-static ALWAYS_INLINE JSValue getProperty(ExecState* exec, JSObject* obj, unsigned index)
+static JSValue getProperty(ExecState* exec, JSObject* obj, unsigned index)
{
PropertySlot slot(obj);
if (!obj->getPropertySlot(exec, index, slot))
@@ -416,33 +416,19 @@
EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec)
{
JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
- size_t argCount = exec->argumentCount();
+ JSArray* arr = constructEmptyArray(exec, nullptr);
+ unsigned n = 0;
JSValue curArg = thisValue.toObject(exec);
- Checked<unsigned, RecordOverflow> finalArraySize = 0;
-
- for (size_t i = 0; i <= argCount; ++i) {
- if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg))
- finalArraySize += currentArray->length();
- else
- finalArraySize++;
- curArg = exec->uncheckedArgument(i);
- }
-
- if (finalArraySize.hasOverflowed())
- return JSValue::encode(throwOutOfMemoryError(exec));
-
- JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize.unsafeGet());
if (exec->hadException())
return JSValue::encode(jsUndefined());
-
- curArg = thisValue.toObject(exec);
- unsigned n = 0;
size_t i = 0;
+ size_t argCount = exec->argumentCount();
while (1) {
- if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
- unsigned length = currentArray->length();
+ if (curArg.inherits(JSArray::info())) {
+ unsigned length = curArg.get(exec, exec->propertyNames().length).toUInt32(exec);
+ JSObject* curObject = curArg.toObject(exec);
for (unsigned k = 0; k < length; ++k) {
- JSValue v = getProperty(exec, currentArray, k);
+ JSValue v = getProperty(exec, curObject, k);
if (exec->hadException())
return JSValue::encode(jsUndefined());
if (v)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
