Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(342)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/js/harmony-array.js

Issue 1420663003: Avoid calling %AddElement with a number out of array index range (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Fix naming Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/js/array.js ('k') | src/js/runtime.js » ('j') | src/js/runtime.js » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 the V8 project authors. All rights reserved. 1 // Copyright 2013 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 (function(global, utils) { 5 (function(global, utils) {
6 6
7 'use strict'; 7 'use strict';
8 8
9 %CheckIsBootstrapping(); 9 %CheckIsBootstrapping();
10 10
11 // ------------------------------------------------------------------- 11 // -------------------------------------------------------------------
12 // Imports 12 // Imports
13 13
14 var AddIndexedProperty;
14 var FLAG_harmony_tolength; 15 var FLAG_harmony_tolength;
15 var GetIterator; 16 var GetIterator;
16 var GetMethod; 17 var GetMethod;
17 var GlobalArray = global.Array; 18 var GlobalArray = global.Array;
18 var iteratorSymbol = utils.ImportNow("iterator_symbol"); 19 var iteratorSymbol = utils.ImportNow("iterator_symbol");
19 var MakeTypeError; 20 var MakeTypeError;
20 var MaxSimple; 21 var MaxSimple;
21 var MinSimple; 22 var MinSimple;
22 var ObjectIsFrozen; 23 var ObjectIsFrozen;
23 var ObjectDefineProperty; 24 var ObjectDefineProperty;
24 25
25 utils.Import(function(from) { 26 utils.Import(function(from) {
27 AddIndexedProperty = from.AddIndexedProperty;
26 FLAG_harmony_tolength = from.FLAG_harmony_tolength; 28 FLAG_harmony_tolength = from.FLAG_harmony_tolength;
27 GetIterator = from.GetIterator; 29 GetIterator = from.GetIterator;
28 GetMethod = from.GetMethod; 30 GetMethod = from.GetMethod;
29 MakeTypeError = from.MakeTypeError; 31 MakeTypeError = from.MakeTypeError;
30 MaxSimple = from.MaxSimple; 32 MaxSimple = from.MaxSimple;
31 MinSimple = from.MinSimple; 33 MinSimple = from.MinSimple;
32 ObjectIsFrozen = from.ObjectIsFrozen; 34 ObjectIsFrozen = from.ObjectIsFrozen;
33 ObjectDefineProperty = from.ObjectDefineProperty; 35 ObjectDefineProperty = from.ObjectDefineProperty;
34 }); 36 });
35 37
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after
175 CHECK_OBJECT_COERCIBLE(this, "Array.prototype.fill"); 177 CHECK_OBJECT_COERCIBLE(this, "Array.prototype.fill");
176 178
177 var array = TO_OBJECT(this); 179 var array = TO_OBJECT(this);
178 var length = TO_LENGTH_OR_UINT32(array.length); 180 var length = TO_LENGTH_OR_UINT32(array.length);
179 181
180 return InnerArrayFill(value, start, end, array, length); 182 return InnerArrayFill(value, start, end, array, length);
181 } 183 }
182 184
183 function AddArrayElement(constructor, array, i, value) { 185 function AddArrayElement(constructor, array, i, value) {
184 if (constructor === GlobalArray) { 186 if (constructor === GlobalArray) {
185 %AddElement(array, i, value); 187 AddIndexedProperty(array, i, value);
186 } else { 188 } else {
187 ObjectDefineProperty(array, i, { 189 ObjectDefineProperty(array, i, {
188 value: value, writable: true, configurable: true, enumerable: true 190 value: value, writable: true, configurable: true, enumerable: true
189 }); 191 });
190 } 192 }
191 } 193 }
192 194
193 // ES6, draft 10-14-14, section 22.1.2.1 195 // ES6, draft 10-14-14, section 22.1.2.1
194 function ArrayFrom(arrayLike, mapfn, receiver) { 196 function ArrayFrom(arrayLike, mapfn, receiver) {
195 var items = TO_OBJECT(arrayLike); 197 var items = TO_OBJECT(arrayLike);
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after
293 295
294 utils.Export(function(to) { 296 utils.Export(function(to) {
295 to.ArrayFrom = ArrayFrom; 297 to.ArrayFrom = ArrayFrom;
296 to.InnerArrayCopyWithin = InnerArrayCopyWithin; 298 to.InnerArrayCopyWithin = InnerArrayCopyWithin;
297 to.InnerArrayFill = InnerArrayFill; 299 to.InnerArrayFill = InnerArrayFill;
298 to.InnerArrayFind = InnerArrayFind; 300 to.InnerArrayFind = InnerArrayFind;
299 to.InnerArrayFindIndex = InnerArrayFindIndex; 301 to.InnerArrayFindIndex = InnerArrayFindIndex;
300 }); 302 });
301 303
302 }) 304 })
OLDNEW
« no previous file with comments | « src/js/array.js ('k') | src/js/runtime.js » ('j') | src/js/runtime.js » ('J')

Powered by Google App Engine
This is Rietveld 408576698