Fix invalid fast return in splice when returned array is empty.

src/builtins.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 574 matching lines @@
 
   // SpiderMonkey and JSC return undefined in the case where no
   // arguments are given instead of using the implicit undefined
   // arguments.  This does not follow ECMA-262, but we do the same for
   // compatibility.
   // TraceMonkey follows ECMA-262 though.
   if (n_arguments == 0) {
     return Heap::undefined_value();
   }
 
   int relativeStart = 0;

[Kasper Lund, 2010/03/05 07:08:14]

Don't use camelCase for local variables.

   Object* arg1 = args[1];
   if (arg1->IsSmi()) {
     relativeStart = Smi::cast(arg1)->value();
   } else if (!arg1->IsUndefined()) {
     return CallJsBuiltin("ArraySplice", args);
   }
   int actualStart = (relativeStart < 0) ? Max(len + relativeStart, 0)

[Kasper Lund, 2010/03/05 07:08:14]

Don't use camelCase for local variables.

                                         : Min(relativeStart, len);
 
   // SpiderMonkey, TraceMonkey and JSC treat the case where no delete count is
   // given differently from when an undefined delete count is given.
   // This does not follow ECMA-262, but we do the same for
   // compatibility.
   int deleteCount = len;

[Kasper Lund, 2010/03/05 07:08:14]

Don't use camelCase for local variables.

   if (n_arguments > 1) {
     Object* arg2 = args[2];
     if (arg2->IsSmi()) {
       deleteCount = Smi::cast(arg2)->value();
     } else {
       return CallJsBuiltin("ArraySplice", args);
     }
   }
   int actualDeleteCount = Min(Max(deleteCount, 0), len - actualStart);

[Kasper Lund, 2010/03/05 07:08:14]

Don't use camelCase for local variables.

-  if (actualDeleteCount == 0) {
-    return AllocateEmptyJSArray();
-  }
-
-  // Allocate result array.
-  Object* result = AllocateJSArray();
-  if (result->IsFailure()) return result;
-  JSArray* result_array = JSArray::cast(result);
-
-  result = Heap::AllocateUninitializedFixedArray(actualDeleteCount);
-  if (result->IsFailure()) return result;
-  FixedArray* result_elms = FixedArray::cast(result);
 
   FixedArray* elms = FixedArray::cast(array->elements());
 
-  AssertNoAllocation no_gc;
-  // Fill newly created array.
-  CopyElements(&no_gc, result_elms, 0, elms, actualStart, actualDeleteCount);
+  JSArray* result_array = NULL;
+  if (actualDeleteCount == 0) {
+    Object* result = AllocateEmptyJSArray();
+    if (result->IsFailure()) return result;
+    result_array = JSArray::cast(result);
+  } else {
+    // Allocate result array.
+    Object* result = AllocateJSArray();
+    if (result->IsFailure()) return result;
+    result_array = JSArray::cast(result);
 
-  // Set elements.
-  result_array->set_elements(result_elms);
+    result = Heap::AllocateUninitializedFixedArray(actualDeleteCount);
+    if (result->IsFailure()) return result;
+    FixedArray* result_elms = FixedArray::cast(result);
 
-  // Set the length.
-  result_array->set_length(Smi::FromInt(actualDeleteCount));
+    AssertNoAllocation no_gc;
+    // Fill newly created array.
+    CopyElements(&no_gc, result_elms, 0, elms, actualStart, actualDeleteCount);
+
+    // Set elements.
+    result_array->set_elements(result_elms);
+
+    // Set the length.
+    result_array->set_length(Smi::FromInt(actualDeleteCount));
+  }
 
   int itemCount = (n_arguments > 1) ? (n_arguments - 2) : 0;

[Kasper Lund, 2010/03/05 07:08:14]

Don't use camelCase for local variables.

 
   int new_length = len - actualDeleteCount + itemCount;
 
   if (itemCount < actualDeleteCount) {
     // Shrink the array.
+    AssertNoAllocation no_gc;
     MoveElements(&no_gc,
                  elms, actualStart + itemCount,
                  elms, actualStart + actualDeleteCount,
                  (len - actualDeleteCount - actualStart));
     FillWithHoles(elms, new_length, len);
   } else if (itemCount > actualDeleteCount) {
     // Currently fixed arrays cannot grow too big, so
     // we should never hit this case.
     ASSERT((itemCount - actualDeleteCount) <= (Smi::kMaxValue - len));
 
     FixedArray* source_elms = elms;
 
     // Check if array need to grow.
     if (new_length > elms->length()) {
       // New backing storage is needed.
       int capacity = new_length + (new_length >> 1) + 16;
       Object* obj = Heap::AllocateUninitializedFixedArray(capacity);
       if (obj->IsFailure()) return obj;
       FixedArray* new_elms = FixedArray::cast(obj);
 
+      AssertNoAllocation no_gc;
       // Copy the part before actualStart as is.
       CopyElements(&no_gc, new_elms, 0, elms, 0, actualStart);
       FillWithHoles(new_elms, new_length, capacity);
 
       source_elms = elms;
       elms = new_elms;
       array->set_elements(elms);
     }
 
+    AssertNoAllocation no_gc;
     MoveElements(&no_gc,
                  elms, actualStart + itemCount,
                  source_elms, actualStart + actualDeleteCount,
                  (len - actualDeleteCount - actualStart));
   }
 
+  AssertNoAllocation no_gc;
   WriteBarrierMode mode = elms->GetWriteBarrierMode(no_gc);
   for (int k = actualStart; k < actualStart + itemCount; k++) {
     elms->set(k, args[3 + k - actualStart], mode);
   }
 
   // Set the length.
   array->set_length(Smi::FromInt(new_length));
 
   return result_array;
 }
@@ skipping 643 matching lines @@
       if (entry->contains(pc)) {
         return names_[i];
       }
     }
   }
   return NULL;
 }
 
 
 } }  // namespace v8::internal