Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(266)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/runtime/runtime-array.cc

Issue 1817443003: Remove oob elements collected from the prototype chain by trimming in GetArrayKeys (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: addressed comment Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « src/js/array.js ('k') | test/mjsunit/regress/get-array-keys-oob.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 the V8 project authors. All rights reserved. 1 // Copyright 2014 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/runtime/runtime-utils.h" 5 #include "src/runtime/runtime-utils.h"
6 6
7 #include "src/arguments.h" 7 #include "src/arguments.h"
8 #include "src/conversions-inl.h" 8 #include "src/conversions-inl.h"
9 #include "src/elements.h" 9 #include "src/elements.h"
10 #include "src/factory.h" 10 #include "src/factory.h"
(...skipping 193 matching lines...) Expand 10 before | Expand all | Expand 10 after
204 ->HasIndexedInterceptor()) { 204 ->HasIndexedInterceptor()) {
205 // Bail out if we find a proxy or interceptor, likely not worth 205 // Bail out if we find a proxy or interceptor, likely not worth
206 // collecting keys in that case. 206 // collecting keys in that case.
207 return *isolate->factory()->NewNumberFromUint(length); 207 return *isolate->factory()->NewNumberFromUint(length);
208 } 208 }
209 accumulator.NextPrototype(); 209 accumulator.NextPrototype();
210 Handle<JSObject> current = PrototypeIterator::GetCurrent<JSObject>(iter); 210 Handle<JSObject> current = PrototypeIterator::GetCurrent<JSObject>(iter);
211 JSObject::CollectOwnElementKeys(current, &accumulator, ALL_PROPERTIES); 211 JSObject::CollectOwnElementKeys(current, &accumulator, ALL_PROPERTIES);
212 } 212 }
213 // Erase any keys >= length. 213 // Erase any keys >= length.
214 // TODO(adamk): Remove this step when the contract of %GetArrayKeys
215 // is changed to let this happen on the JS side.
216 Handle<FixedArray> keys = accumulator.GetKeys(KEEP_NUMBERS); 214 Handle<FixedArray> keys = accumulator.GetKeys(KEEP_NUMBERS);
215 int j = 0;
217 for (int i = 0; i < keys->length(); i++) { 216 for (int i = 0; i < keys->length(); i++) {
218 if (NumberToUint32(keys->get(i)) >= length) keys->set_undefined(i); 217 if (NumberToUint32(keys->get(i)) >= length) continue;
218 if (i != j) keys->set(j, keys->get(i));
219 j++;
219 } 220 }
221
222 if (j != keys->length()) {
223 isolate->heap()->RightTrimFixedArray<Heap::CONCURRENT_TO_SWEEPER>(
224 *keys, keys->length() - j);
225 }
226
220 return *isolate->factory()->NewJSArrayWithElements(keys); 227 return *isolate->factory()->NewJSArrayWithElements(keys);
221 } 228 }
222 229
223 230
224 namespace { 231 namespace {
225 232
226 Object* ArrayConstructorCommon(Isolate* isolate, Handle<JSFunction> constructor, 233 Object* ArrayConstructorCommon(Isolate* isolate, Handle<JSFunction> constructor,
227 Handle<JSReceiver> new_target, 234 Handle<JSReceiver> new_target,
228 Handle<AllocationSite> site, 235 Handle<AllocationSite> site,
229 Arguments* caller_args) { 236 Arguments* caller_args) {
(...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after
474 CONVERT_ARG_HANDLE_CHECKED(Object, original_array, 0); 481 CONVERT_ARG_HANDLE_CHECKED(Object, original_array, 0);
475 Handle<Object> constructor; 482 Handle<Object> constructor;
476 ASSIGN_RETURN_FAILURE_ON_EXCEPTION( 483 ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
477 isolate, constructor, 484 isolate, constructor,
478 Object::ArraySpeciesConstructor(isolate, original_array)); 485 Object::ArraySpeciesConstructor(isolate, original_array));
479 return *constructor; 486 return *constructor;
480 } 487 }
481 488
482 } // namespace internal 489 } // namespace internal
483 } // namespace v8 490 } // namespace v8
OLDNEW
« no previous file with comments | « src/js/array.js ('k') | test/mjsunit/regress/get-array-keys-oob.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698