| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/builtins.h" | 5 #include "src/builtins.h" |
| 6 | 6 |
| 7 #include "src/api.h" | 7 #include "src/api.h" |
| 8 #include "src/api-natives.h" | 8 #include "src/api-natives.h" |
| 9 #include "src/arguments.h" | 9 #include "src/arguments.h" |
| 10 #include "src/base/once.h" | 10 #include "src/base/once.h" |
| (...skipping 179 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 190 } else if (object->IsBoolean()) { | 190 } else if (object->IsBoolean()) { |
| 191 *out = object->IsTrue(); | 191 *out = object->IsTrue(); |
| 192 return true; | 192 return true; |
| 193 } | 193 } |
| 194 return false; | 194 return false; |
| 195 } | 195 } |
| 196 | 196 |
| 197 | 197 |
| 198 inline bool GetSloppyArgumentsLength(Isolate* isolate, Handle<JSObject> object, | 198 inline bool GetSloppyArgumentsLength(Isolate* isolate, Handle<JSObject> object, |
| 199 int* out) { | 199 int* out) { |
| 200 Map* arguments_map = | 200 Map* arguments_map = isolate->native_context()->sloppy_arguments_map(); |
| 201 isolate->context()->native_context()->sloppy_arguments_map(); | 201 if (object->map() != arguments_map) return false; |
| 202 if (object->map() != arguments_map || !object->HasFastElements()) { | 202 DCHECK(object->HasFastElements()); |
| 203 return false; | |
| 204 } | |
| 205 Object* len_obj = object->InObjectPropertyAt(Heap::kArgumentsLengthIndex); | 203 Object* len_obj = object->InObjectPropertyAt(Heap::kArgumentsLengthIndex); |
| 206 if (!len_obj->IsSmi()) { | 204 if (!len_obj->IsSmi()) return false; |
| 207 return false; | 205 *out = Max(0, Smi::cast(len_obj)->value()); |
| 208 } | |
| 209 *out = Smi::cast(len_obj)->value(); | |
| 210 return *out <= object->elements()->length(); | 206 return *out <= object->elements()->length(); |
| 211 } | 207 } |
| 212 | 208 |
| 213 | 209 |
| 214 inline bool PrototypeHasNoElements(PrototypeIterator* iter) { | 210 inline bool PrototypeHasNoElements(PrototypeIterator* iter) { |
| 215 DisallowHeapAllocation no_gc; | 211 DisallowHeapAllocation no_gc; |
| 216 for (; !iter->IsAtEnd(); iter->Advance()) { | 212 for (; !iter->IsAtEnd(); iter->Advance()) { |
| 217 if (iter->GetCurrent()->IsJSProxy()) return false; | 213 if (iter->GetCurrent()->IsJSProxy()) return false; |
| 218 JSObject* current = iter->GetCurrent<JSObject>(); | 214 JSObject* current = iter->GetCurrent<JSObject>(); |
| 219 if (current->IsAccessCheckNeeded()) return false; | 215 if (current->IsAccessCheckNeeded()) return false; |
| (...skipping 766 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 986 * with the element index and the element's value. | 982 * with the element index and the element's value. |
| 987 * Afterwards it increments the base-index of the visitor by the array | 983 * Afterwards it increments the base-index of the visitor by the array |
| 988 * length. | 984 * length. |
| 989 * Returns false if any access threw an exception, otherwise true. | 985 * Returns false if any access threw an exception, otherwise true. |
| 990 */ | 986 */ |
| 991 bool IterateElements(Isolate* isolate, Handle<JSObject> receiver, | 987 bool IterateElements(Isolate* isolate, Handle<JSObject> receiver, |
| 992 ArrayConcatVisitor* visitor) { | 988 ArrayConcatVisitor* visitor) { |
| 993 uint32_t length = 0; | 989 uint32_t length = 0; |
| 994 | 990 |
| 995 if (receiver->IsJSArray()) { | 991 if (receiver->IsJSArray()) { |
| 996 Handle<JSArray> array(Handle<JSArray>::cast(receiver)); | 992 Handle<JSArray> array = Handle<JSArray>::cast(receiver); |
| 997 length = static_cast<uint32_t>(array->length()->Number()); | 993 length = static_cast<uint32_t>(array->length()->Number()); |
| 998 } else { | 994 } else { |
| 999 Handle<Object> val; | 995 Handle<Object> val; |
| 1000 Handle<Object> key(isolate->heap()->length_string(), isolate); | 996 Handle<Object> key = isolate->factory()->length_string(); |
| 1001 ASSIGN_RETURN_ON_EXCEPTION_VALUE( | 997 ASSIGN_RETURN_ON_EXCEPTION_VALUE( |
| 1002 isolate, val, Runtime::GetObjectProperty(isolate, receiver, key), | 998 isolate, val, Runtime::GetObjectProperty(isolate, receiver, key), |
| 1003 false); | 999 false); |
| 1004 ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, val, | 1000 ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, val, |
| 1005 Object::ToLength(isolate, val), false); | 1001 Object::ToLength(isolate, val), false); |
| 1006 // TODO(caitp): Support larger element indexes (up to 2^53-1). | 1002 // TODO(caitp): Support larger element indexes (up to 2^53-1). |
| 1007 if (!val->ToUint32(&length)) { | 1003 if (!val->ToUint32(&length)) { |
| 1008 length = 0; | 1004 length = 0; |
| 1009 } | 1005 } |
| 1010 } | 1006 } |
| (...skipping 1380 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2391 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C) | 2387 BUILTIN_LIST_C(DEFINE_BUILTIN_ACCESSOR_C) |
| 2392 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A) | 2388 BUILTIN_LIST_A(DEFINE_BUILTIN_ACCESSOR_A) |
| 2393 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H) | 2389 BUILTIN_LIST_H(DEFINE_BUILTIN_ACCESSOR_H) |
| 2394 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) | 2390 BUILTIN_LIST_DEBUG_A(DEFINE_BUILTIN_ACCESSOR_A) |
| 2395 #undef DEFINE_BUILTIN_ACCESSOR_C | 2391 #undef DEFINE_BUILTIN_ACCESSOR_C |
| 2396 #undef DEFINE_BUILTIN_ACCESSOR_A | 2392 #undef DEFINE_BUILTIN_ACCESSOR_A |
| 2397 | 2393 |
| 2398 | 2394 |
| 2399 } // namespace internal | 2395 } // namespace internal |
| 2400 } // namespace v8 | 2396 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1436813002:
Fix Array.prototype.slice with arguments object with negative length. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master