Skip to content
Permalink
Browse files

JSArray::appendMemcpy() needs to handle copying from Undecided indexi…

…ng type too.

https://bugs.webkit.org/show_bug.cgi?id=170896
<rdar://problem/31651319>

Reviewed by JF Bastien and Keith Miller.

JSTests:

* stress/regress-170896.js: Added.

Source/JavaScriptCore:

* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@215451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information...
mark.lam@apple.com
mark.lam@apple.com committed Apr 18, 2017
1 parent 4cd8ba7 commit ad6d74945b13a8ca682bffe5b4e9f1c6ce0ae692
Showing with 46 additions and 2 deletions.
  1. +10 −0 JSTests/ChangeLog
  2. +13 −0 JSTests/stress/regress-170896.js
  3. +11 −0 Source/JavaScriptCore/ChangeLog
  4. +12 −2 Source/JavaScriptCore/runtime/JSArray.cpp
@@ -1,3 +1,13 @@
2017-04-17 Mark Lam <mark.lam@apple.com>

JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
https://bugs.webkit.org/show_bug.cgi?id=170896
<rdar://problem/31651319>

Reviewed by JF Bastien and Keith Miller.

* stress/regress-170896.js: Added.

2017-04-16 Joseph Pecoraro <pecoraro@apple.com>

test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js
@@ -0,0 +1,13 @@
function test() {
let a = [,,,,,,,,,];
return a.concat();
}
noInline(test);

test()[0] = {};

for (let i = 0; i < 20000; ++i) {
var result = test();
if (result[0])
throw result.toString();
}
@@ -1,3 +1,14 @@
2017-04-17 Mark Lam <mark.lam@apple.com>

JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
https://bugs.webkit.org/show_bug.cgi?id=170896
<rdar://problem/31651319>

Reviewed by JF Bastien and Keith Miller.

* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):

2017-04-17 Joseph Pecoraro <pecoraro@apple.com>

Web Inspector: Doesn't show size of compressed content correctly
@@ -483,7 +483,8 @@ bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JS
return false;

IndexingType type = indexingType();
IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
IndexingType otherType = otherArray->indexingType();
IndexingType copyType = mergeIndexingTypeForCopying(otherType);
if (type == ArrayWithUndecided && copyType != NonArray) {
if (copyType == ArrayWithInt32)
convertUndecidedToInt32(vm);
@@ -517,7 +518,16 @@ bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JS
}
ASSERT(copyType == indexingType());

if (type == ArrayWithDouble)
if (UNLIKELY(otherType == ArrayWithUndecided)) {
auto* butterfly = this->butterfly();
if (type == ArrayWithDouble) {
for (unsigned i = startIndex; i < newLength; ++i)
butterfly->contiguousDouble()[i] = PNaN;
} else {
for (unsigned i = startIndex; i < newLength; ++i)
butterfly->contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
}
} else if (type == ArrayWithDouble)
memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
else
memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);

0 comments on commit ad6d749

Please sign in to comment.
You can’t perform that action at this time.