Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(421)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/runtime.cc

Issue 264973008: Checks for empty array case added before casting elements to FixedDoubleArray. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « src/json-stringifier.h ('k') | test/mjsunit/regress/regress-369450.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <stdlib.h> 5 #include <stdlib.h>
6 #include <limits> 6 #include <limits>
7 7
8 #include "v8.h" 8 #include "v8.h"
9 9
10 #include "accessors.h" 10 #include "accessors.h"
(...skipping 10337 matching lines...) Expand 10 before | Expand all | Expand 10 after
10348 isolate, element_value, 10348 isolate, element_value,
10349 Object::GetElement(isolate, receiver, j), 10349 Object::GetElement(isolate, receiver, j),
10350 false); 10350 false);
10351 visitor->visit(j, element_value); 10351 visitor->visit(j, element_value);
10352 } 10352 }
10353 } 10353 }
10354 break; 10354 break;
10355 } 10355 }
10356 case FAST_HOLEY_DOUBLE_ELEMENTS: 10356 case FAST_HOLEY_DOUBLE_ELEMENTS:
10357 case FAST_DOUBLE_ELEMENTS: { 10357 case FAST_DOUBLE_ELEMENTS: {
10358 // Empty array is FixedArray but not FixedDoubleArray.
10359 if (length == 0) break;
10358 // Run through the elements FixedArray and use HasElement and GetElement 10360 // Run through the elements FixedArray and use HasElement and GetElement
10359 // to check the prototype for missing elements. 10361 // to check the prototype for missing elements.
10360 Handle<FixedDoubleArray> elements( 10362 Handle<FixedDoubleArray> elements(
10361 FixedDoubleArray::cast(receiver->elements())); 10363 FixedDoubleArray::cast(receiver->elements()));
10362 int fast_length = static_cast<int>(length); 10364 int fast_length = static_cast<int>(length);
10363 ASSERT(fast_length <= elements->length()); 10365 ASSERT(fast_length <= elements->length());
10364 for (int j = 0; j < fast_length; j++) { 10366 for (int j = 0; j < fast_length; j++) {
10365 HandleScope loop_scope(isolate); 10367 HandleScope loop_scope(isolate);
10366 if (!elements->is_the_hole(j)) { 10368 if (!elements->is_the_hole(j)) {
10367 double double_value = elements->get_scalar(j); 10369 double double_value = elements->get_scalar(j);
(...skipping 184 matching lines...) Expand 10 before | Expand all | Expand 10 after
10552 j++; 10554 j++;
10553 } else if (obj->IsNumber()) { 10555 } else if (obj->IsNumber()) {
10554 double_storage->set(j, obj->Number()); 10556 double_storage->set(j, obj->Number());
10555 j++; 10557 j++;
10556 } else { 10558 } else {
10557 JSArray* array = JSArray::cast(*obj); 10559 JSArray* array = JSArray::cast(*obj);
10558 uint32_t length = static_cast<uint32_t>(array->length()->Number()); 10560 uint32_t length = static_cast<uint32_t>(array->length()->Number());
10559 switch (array->map()->elements_kind()) { 10561 switch (array->map()->elements_kind()) {
10560 case FAST_HOLEY_DOUBLE_ELEMENTS: 10562 case FAST_HOLEY_DOUBLE_ELEMENTS:
10561 case FAST_DOUBLE_ELEMENTS: { 10563 case FAST_DOUBLE_ELEMENTS: {
10562 // Empty fixed array indicates that there are no elements. 10564 // Empty array is FixedArray but not FixedDoubleArray.
10563 if (array->elements()->IsFixedArray()) break; 10565 if (length == 0) break;
10564 FixedDoubleArray* elements = 10566 FixedDoubleArray* elements =
10565 FixedDoubleArray::cast(array->elements()); 10567 FixedDoubleArray::cast(array->elements());
10566 for (uint32_t i = 0; i < length; i++) { 10568 for (uint32_t i = 0; i < length; i++) {
10567 if (elements->is_the_hole(i)) { 10569 if (elements->is_the_hole(i)) {
10568 failure = true; 10570 failure = true;
10569 break; 10571 break;
10570 } 10572 }
10571 double double_value = elements->get_scalar(i); 10573 double double_value = elements->get_scalar(i);
10572 double_storage->set(j, double_value); 10574 double_storage->set(j, double_value);
10573 j++; 10575 j++;
(...skipping 4622 matching lines...) Expand 10 before | Expand all | Expand 10 after
15196 } 15198 }
15197 return NULL; 15199 return NULL;
15198 } 15200 }
15199 15201
15200 15202
15201 const Runtime::Function* Runtime::FunctionForId(Runtime::FunctionId id) { 15203 const Runtime::Function* Runtime::FunctionForId(Runtime::FunctionId id) {
15202 return &(kIntrinsicFunctions[static_cast<int>(id)]); 15204 return &(kIntrinsicFunctions[static_cast<int>(id)]);
15203 } 15205 }
15204 15206
15205 } } // namespace v8::internal 15207 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « src/json-stringifier.h ('k') | test/mjsunit/regress/regress-369450.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698