Skip to site navigation (Press enter)

[webkit-changes] [177245] trunk/Source/JavaScriptCore

mmirman Fri, 12 Dec 2014 15:46:25 -0800

Title: [177245] trunk/Source/_javascript_Core

Revision: 177245
Author: mmir...@apple.com
Date: 2014-12-12 15:46:13 -0800 (Fri, 12 Dec 2014)

Log Message

shiftCountWithArrayStorage should exit to slow path if the object has a sparse map.
https://bugs.webkit.org/show_bug.cgi?id=139598
<rdar://problem/18779367>


Reviewed by Filip Pizlo.

* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map.
* tests/stress/sparse_splice.js: Added.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSArray.cpp

Added Paths

trunk/Source/_javascript_Core/tests/stress/sparse_splice.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (177244 => 177245)


--- trunk/Source/_javascript_Core/ChangeLog	2014-12-12 23:38:36 UTC (rev 177244)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-12-12 23:46:13 UTC (rev 177245)
@@ -1,3 +1,15 @@
+2014-12-12  Matthew Mirman  <mmir...@apple.com>
+
+        shiftCountWithArrayStorage should exit to slow path if the object has a sparse map.
+        https://bugs.webkit.org/show_bug.cgi?id=139598
+        <rdar://problem/18779367>
+
+        Reviewed by Filip Pizlo.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map.
+        * tests/stress/sparse_splice.js: Added.
+
 2014-12-12  Gyuyoung Kim  <gyuyoung....@samsung.com>
 
         Final clean up OwnPtr in JSC - runtime, ftl, and tool directories

Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (177244 => 177245)


--- trunk/Source/_javascript_Core/runtime/JSArray.cpp	2014-12-12 23:38:36 UTC (rev 177244)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp	2014-12-12 23:46:13 UTC (rev 177245)
@@ -675,7 +675,7 @@
     // If the array contains holes or is otherwise in an abnormal state,
     // use the generic algorithm in ArrayPrototype.
     if ((storage->hasHoles() && this->structure(vm)->holesMustForwardToPrototype(vm)) 
-        || inSparseIndexingMode() 
+        || hasSparseMap() 
         || shouldUseSlowPut(indexingType())) {
         return false;
     }

Added: trunk/Source/_javascript_Core/tests/stress/sparse_splice.js (0 => 177245)


--- trunk/Source/_javascript_Core/tests/stress/sparse_splice.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/sparse_splice.js	2014-12-12 23:46:13 UTC (rev 177245)
@@ -0,0 +1,12 @@
+var myArray = Array();
+myArray[ 10000 ] = "a";
+myArray[ 10001 ] = "b";
+myArray[ 10002 ] = "c";
+
+// remove element at index 1001
+myArray.splice( 10001, 1 );
+
+if (myArray[10000] != "a")
+    throw "Splicing Error! start index changed";
+if (myArray[10001] != "c")
+    throw "Splicing Error! removed element not removed";

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes