| OLD | NEW |
|---|
| 1 // Copyright 2014 the V8 project authors. All rights reserved. | 1 // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/v8.h" | 5 #include "src/v8.h" |
| 6 | 6 |
| 7 #include "src/arguments.h" | 7 #include "src/arguments.h" |
| 8 #include "src/runtime/runtime-utils.h" | 8 #include "src/runtime/runtime-utils.h" |
| 9 | 9 |
| 10 namespace v8 { | 10 namespace v8 { |
| (...skipping 1027 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1038 | 1038 |
| 1039 static Object* ArrayConstructorCommon(Isolate* isolate, | 1039 static Object* ArrayConstructorCommon(Isolate* isolate, |
| 1040 Handle<JSFunction> constructor, | 1040 Handle<JSFunction> constructor, |
| 1041 Handle<JSFunction> original_constructor, | 1041 Handle<JSFunction> original_constructor, |
| 1042 Handle<AllocationSite> site, | 1042 Handle<AllocationSite> site, |
| 1043 Arguments* caller_args) { | 1043 Arguments* caller_args) { |
| 1044 Factory* factory = isolate->factory(); | 1044 Factory* factory = isolate->factory(); |
| 1045 | 1045 |
| 1046 bool holey = false; | 1046 bool holey = false; |
| 1047 bool can_use_type_feedback = true; | 1047 bool can_use_type_feedback = true; |
| 1048 bool can_inline_array_constructor = true; |
| 1048 if (caller_args->length() == 1) { | 1049 if (caller_args->length() == 1) { |
| 1049 Handle<Object> argument_one = caller_args->at<Object>(0); | 1050 Handle<Object> argument_one = caller_args->at<Object>(0); |
| 1050 if (argument_one->IsSmi()) { | 1051 if (argument_one->IsSmi()) { |
| 1051 int value = Handle<Smi>::cast(argument_one)->value(); | 1052 int value = Handle<Smi>::cast(argument_one)->value(); |
| 1052 if (value < 0 || value >= JSObject::kInitialMaxFastElementArray) { | 1053 if (value < 0 || JSArray::SetElementsLengthWouldNormalize(isolate->heap(), |
| 1054 argument_one)) { |
| 1053 // the array is a dictionary in this case. | 1055 // the array is a dictionary in this case. |
| 1054 can_use_type_feedback = false; | 1056 can_use_type_feedback = false; |
| 1055 } else if (value != 0) { | 1057 } else if (value != 0) { |
| 1056 holey = true; | 1058 holey = true; |
| 1059 if (value >= JSObject::kInitialMaxFastElementArray) { |
| 1060 can_inline_array_constructor = false; |
| 1061 } |
| 1057 } | 1062 } |
| 1058 } else { | 1063 } else { |
| 1059 // Non-smi length argument produces a dictionary | 1064 // Non-smi length argument produces a dictionary |
| 1060 can_use_type_feedback = false; | 1065 can_use_type_feedback = false; |
| 1061 } | 1066 } |
| 1062 } | 1067 } |
| 1063 | 1068 |
| 1064 Handle<JSArray> array; | 1069 Handle<JSArray> array; |
| 1065 if (!site.is_null() && can_use_type_feedback) { | 1070 if (!site.is_null() && can_use_type_feedback) { |
| 1066 ElementsKind to_kind = site->GetElementsKind(); | 1071 ElementsKind to_kind = site->GetElementsKind(); |
| (...skipping 30 matching lines...) Expand all Loading... |
| 1097 JSObject::TransitionElementsKind(array, kind); | 1102 JSObject::TransitionElementsKind(array, kind); |
| 1098 } | 1103 } |
| 1099 } | 1104 } |
| 1100 | 1105 |
| 1101 factory->NewJSArrayStorage(array, 0, 0, DONT_INITIALIZE_ARRAY_ELEMENTS); | 1106 factory->NewJSArrayStorage(array, 0, 0, DONT_INITIALIZE_ARRAY_ELEMENTS); |
| 1102 | 1107 |
| 1103 ElementsKind old_kind = array->GetElementsKind(); | 1108 ElementsKind old_kind = array->GetElementsKind(); |
| 1104 RETURN_FAILURE_ON_EXCEPTION( | 1109 RETURN_FAILURE_ON_EXCEPTION( |
| 1105 isolate, ArrayConstructInitializeElements(array, caller_args)); | 1110 isolate, ArrayConstructInitializeElements(array, caller_args)); |
| 1106 if (!site.is_null() && | 1111 if (!site.is_null() && |
| 1107 (old_kind != array->GetElementsKind() || !can_use_type_feedback)) { | 1112 (old_kind != array->GetElementsKind() || !can_use_type_feedback || |
| 1113 !can_inline_array_constructor)) { |
| 1108 // The arguments passed in caused a transition. This kind of complexity | 1114 // The arguments passed in caused a transition. This kind of complexity |
| 1109 // can't be dealt with in the inlined hydrogen array constructor case. | 1115 // can't be dealt with in the inlined hydrogen array constructor case. |
| 1110 // We must mark the allocationsite as un-inlinable. | 1116 // We must mark the allocationsite as un-inlinable. |
| 1111 site->SetDoNotInlineCall(); | 1117 site->SetDoNotInlineCall(); |
| 1112 } | 1118 } |
| 1113 | 1119 |
| 1114 // Set up the prototoype using original function. | 1120 // Set up the prototoype using original function. |
| 1115 // TODO(dslomov): instead of setting the __proto__, | 1121 // TODO(dslomov): instead of setting the __proto__, |
| 1116 // use and cache the correct map. | 1122 // use and cache the correct map. |
| 1117 if (*original_constructor != *constructor) { | 1123 if (*original_constructor != *constructor) { |
| (...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1348 | 1354 |
| 1349 RUNTIME_FUNCTION(Runtime_FastOneByteArrayJoin) { | 1355 RUNTIME_FUNCTION(Runtime_FastOneByteArrayJoin) { |
| 1350 SealHandleScope shs(isolate); | 1356 SealHandleScope shs(isolate); |
| 1351 DCHECK(args.length() == 2); | 1357 DCHECK(args.length() == 2); |
| 1352 // Returning undefined means that this fast path fails and one has to resort | 1358 // Returning undefined means that this fast path fails and one has to resort |
| 1353 // to a slow path. | 1359 // to a slow path. |
| 1354 return isolate->heap()->undefined_value(); | 1360 return isolate->heap()->undefined_value(); |
| 1355 } | 1361 } |
| 1356 } | 1362 } |
| 1357 } // namespace v8::internal | 1363 } // namespace v8::internal |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1086873003:
Array() in optimized code can create with wrong ElementsKind in corner cases. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master