Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(76)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/elements.cc

Issue 2297253002: [elements] Fix GetEntryForIndexImpl to honor array length (Closed)
Patch Set: Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/element-accessor.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/elements.h" 5 #include "src/elements.h"
6 6
7 #include "src/arguments.h" 7 #include "src/arguments.h"
8 #include "src/conversions.h" 8 #include "src/conversions.h"
9 #include "src/factory.h" 9 #include "src/factory.h"
10 #include "src/isolate-inl.h" 10 #include "src/isolate-inl.h"
(...skipping 1171 matching lines...) Expand 10 before | Expand all | Expand 10 after
1182 } 1182 }
1183 1183
1184 static uint32_t GetIndexForEntryImpl(FixedArrayBase* backing_store, 1184 static uint32_t GetIndexForEntryImpl(FixedArrayBase* backing_store,
1185 uint32_t entry) { 1185 uint32_t entry) {
1186 return entry; 1186 return entry;
1187 } 1187 }
1188 1188
1189 static uint32_t GetEntryForIndexImpl(JSObject* holder, 1189 static uint32_t GetEntryForIndexImpl(JSObject* holder,
1190 FixedArrayBase* backing_store, 1190 FixedArrayBase* backing_store,
1191 uint32_t index, PropertyFilter filter) { 1191 uint32_t index, PropertyFilter filter) {
1192 uint32_t length = Subclass::GetMaxIndex(holder, backing_store);
1192 if (IsHoleyElementsKind(kind())) { 1193 if (IsHoleyElementsKind(kind())) {
1193 return index < Subclass::GetCapacityImpl(holder, backing_store) && 1194 return index < length &&
1194 !BackingStore::cast(backing_store)->is_the_hole(index) 1195 !BackingStore::cast(backing_store)->is_the_hole(index)
1195 ? index 1196 ? index
1196 : kMaxUInt32; 1197 : kMaxUInt32;
1197 } else { 1198 } else {
1198 uint32_t length = Subclass::GetMaxIndex(holder, backing_store);
1199 return index < length ? index : kMaxUInt32; 1199 return index < length ? index : kMaxUInt32;
1200 } 1200 }
1201 } 1201 }
1202 1202
1203 uint32_t GetEntryForIndex(JSObject* holder, FixedArrayBase* backing_store, 1203 uint32_t GetEntryForIndex(JSObject* holder, FixedArrayBase* backing_store,
1204 uint32_t index) final { 1204 uint32_t index) final {
1205 return Subclass::GetEntryForIndexImpl(holder, backing_store, index, 1205 return Subclass::GetEntryForIndexImpl(holder, backing_store, index,
1206 ALL_PROPERTIES); 1206 ALL_PROPERTIES);
1207 } 1207 }
1208 1208
(...skipping 2526 matching lines...) Expand 10 before | Expand all | Expand 10 after
3735 insertion_index += len; 3735 insertion_index += len;
3736 } 3736 }
3737 3737
3738 DCHECK_EQ(insertion_index, result_len); 3738 DCHECK_EQ(insertion_index, result_len);
3739 return result_array; 3739 return result_array;
3740 } 3740 }
3741 3741
3742 ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL; 3742 ElementsAccessor** ElementsAccessor::elements_accessors_ = NULL;
3743 } // namespace internal 3743 } // namespace internal
3744 } // namespace v8 3744 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/element-accessor.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698