Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(42)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/builtins/builtins-array.cc

Issue 2655623004: [runtime] Fix Array.prototype.concat with complex @@species (Closed)
Patch Set: do instance_type check Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-682194.js » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/builtins/builtins-array.cc
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index 5f3bc4250b577428b0b841b66b3b074ac13d0f3b..85d914e76beedf506232fb508d90b84213ee81a9 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -562,7 +562,11 @@ class ArrayConcatVisitor {
index_offset_(0u),
bit_field_(FastElementsField::encode(fast_elements) |
ExceedsLimitField::encode(false) |
- IsFixedArrayField::encode(storage->IsFixedArray())) {
+ IsFixedArrayField::encode(storage->IsFixedArray()) |
+ HasSimpleElementsField::encode(
+ storage->IsFixedArray() ||
+ HeapObject::cast(*storage)->map()->instance_type() >
+ LAST_CUSTOM_ELEMENTS_RECEIVER)) {
DCHECK(!(this->fast_elements() && !is_fixed_array()));
}
@@ -652,12 +656,16 @@ class ArrayConcatVisitor {
// (otherwise)
Handle<FixedArray> storage_fixed_array() {
DCHECK(is_fixed_array());
+ DCHECK(has_simple_elements());
return Handle<FixedArray>::cast(storage_);
}
Handle<JSReceiver> storage_jsreceiver() {
DCHECK(!is_fixed_array());
return Handle<JSReceiver>::cast(storage_);
}
+ bool has_simple_elements() const {
+ return HasSimpleElementsField::decode(bit_field_);
+ }
private:
// Convert storage to dictionary mode.
@@ -691,12 +699,14 @@ class ArrayConcatVisitor {
inline void set_storage(FixedArray* storage) {
DCHECK(is_fixed_array());
+ DCHECK(has_simple_elements());
storage_ = isolate_->global_handles()->Create(storage);
}
class FastElementsField : public BitField<bool, 0, 1> {};
class ExceedsLimitField : public BitField<bool, 1, 1> {};
class IsFixedArrayField : public BitField<bool, 2, 1> {};
+ class HasSimpleElementsField : public BitField<bool, 3, 1> {};
bool fast_elements() const { return FastElementsField::decode(bit_field_); }
void set_fast_elements(bool fast) {
@@ -922,7 +932,6 @@ bool IterateElementsSlow(Isolate* isolate, Handle<JSReceiver> receiver,
visitor->increase_index_offset(length);
return true;
}
-
/**
* A helper function that visits "array" elements of a JSReceiver in numerical
* order.
@@ -952,7 +961,8 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
return IterateElementsSlow(isolate, receiver, length, visitor);
}
- if (!HasOnlySimpleElements(isolate, *receiver)) {
+ if (!HasOnlySimpleElements(isolate, *receiver) ||
+ !visitor->has_simple_elements()) {
return IterateElementsSlow(isolate, receiver, length, visitor);
}
Handle<JSObject> array = Handle<JSObject>::cast(receiver);
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-682194.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698