src/array.js - Issue 679113003: Correctly handle Array unshift/splices that move elements past the max length of an Array - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(23)

My Issues | Starred Open | Closed | All

Side by Side Diff: src/array.js

Issue 679113003: Correctly handle Array unshift/splices that move elements past the max length of an Array (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« no previous file with comments | « no previous file | test/mjsunit/bugs/bug-2615.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2012 the V8 project authors. All rights reserved.	1 // Copyright 2012 the V8 project authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 "use strict";	5 "use strict";

6	6

7 // This file relies on the fact that the following declarations have been made	7 // This file relies on the fact that the following declarations have been made

8 // in runtime.js:	8 // in runtime.js:

9 // var $Array = global.Array;	9 // var $Array = global.Array;

10	10

(...skipping 220 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
231 }	231 }

232 }	232 }

233	233

234	234

235 // This function implements the optimized splice implementation that can use	235 // This function implements the optimized splice implementation that can use

236 // special array operations to handle sparse arrays in a sensible fashion.	236 // special array operations to handle sparse arrays in a sensible fashion.

237 function SparseMove(array, start_i, del_count, len, num_additional_args) {	237 function SparseMove(array, start_i, del_count, len, num_additional_args) {

238 // Bail out if no moving is necessary.	238 // Bail out if no moving is necessary.

239 if (num_additional_args === del_count) return;	239 if (num_additional_args === del_count) return;

240 // Move data to new array.	240 // Move data to new array.

241 var new_array = new InternalArray(len - del_count + num_additional_args);	241 var new_array = new InternalArray(

	242 // Clamp array length to 2^32-1 to avoid early RangeError.

	243 MathMin(len - del_count + num_additional_args, 0xffffffff));

	244 var big_indices;

242 var indices = %GetArrayKeys(array, len);	245 var indices = %GetArrayKeys(array, len);

243 if (IS_NUMBER(indices)) {	246 if (IS_NUMBER(indices)) {

244 var limit = indices;	247 var limit = indices;

245 for (var i = 0; i < start_i && i < limit; ++i) {	248 for (var i = 0; i < start_i && i < limit; ++i) {

246 var current = array[i];	249 var current = array[i];

247 if (!IS_UNDEFINED(current) \|\| i in array) {	250 if (!IS_UNDEFINED(current) \|\| i in array) {

248 new_array[i] = current;	251 new_array[i] = current;

249 }	252 }

250 }	253 }

251 for (var i = start_i + del_count; i < limit; ++i) {	254 for (var i = start_i + del_count; i < limit; ++i) {

252 var current = array[i];	255 var current = array[i];

253 if (!IS_UNDEFINED(current) \|\| i in array) {	256 if (!IS_UNDEFINED(current) \|\| i in array) {

254 new_array[i - del_count + num_additional_args] = current;	257 new_array[i - del_count + num_additional_args] = current;

255 }	258 }

256 }	259 }

257 } else {	260 } else {

258 var length = indices.length;	261 var length = indices.length;

259 for (var k = 0; k < length; ++k) {	262 for (var k = 0; k < length; ++k) {

260 var key = indices[k];	263 var key = indices[k];

261 if (!IS_UNDEFINED(key)) {	264 if (!IS_UNDEFINED(key)) {

262 if (key < start_i) {	265 if (key < start_i) {

263 var current = array[key];	266 var current = array[key];

264 if (!IS_UNDEFINED(current) \|\| key in array) {	267 if (!IS_UNDEFINED(current) \|\| key in array) {

265 new_array[key] = current;	268 new_array[key] = current;

266 }	269 }

267 } else if (key >= start_i + del_count) {	270 } else if (key >= start_i + del_count) {

268 var current = array[key];	271 var current = array[key];

269 if (!IS_UNDEFINED(current) \|\| key in array) {	272 if (!IS_UNDEFINED(current) \|\| key in array) {

270 new_array[key - del_count + num_additional_args] = current;	273 var new_key = key - del_count + num_additional_args;

	274 new_array[new_key] = current;

	275 if (new_key > 0xffffffff) {
	Toon Verwaest 2014/11/11 13:22:21 Shouldn't this be >=? NOTE A String property name Shouldn't this be >=? NOTE A String property name P is an array index if and only if ToString(ToUint32(P)) is equal to P and ToUint32(P) is not equal to 2^ 32-1. adamk 2014/11/11 18:01:01 This is a weird corner-case in V8: indexed propert Show quoted text On 2014/11/11 13:22:21, Toon Verwaest wrote: > Shouldn't this be >=? > > NOTE A String property name P is an array index if and only if > ToString(ToUint32(P)) is equal to P and ToUint32(P) is not equal to 2^ > 32-1. This is a weird corner-case in V8: indexed property 0xffffffff is stored in the elements backing store, despite not being a valid array index. I guess I could make it >=, but it's well covered by the tests in case we change elements implementation.
	276 big_indices = big_indices \|\| new InternalArray();

	277 big_indices.push(new_key);

	278 }

271 }	279 }

272 }	280 }

273 }	281 }

274 }	282 }

275 }	283 }

276 // Move contents of new_array into this array	284 // Move contents of new_array into this array

277 %MoveArrayContents(new_array, array);	285 %MoveArrayContents(new_array, array);

	286 // Add any moved values that aren't elements anymore.

	287 if (!IS_UNDEFINED(big_indices)) {

	288 var length = big_indices.length;

	289 for (var i = 0; i < length; ++i) {

	290 var key = big_indices[i];

	291 array[key] = new_array[key];

	292 }

	293 }

278 }	294 }

279	295

280	296

281 // This is part of the old simple-minded splice. We are using it either	297 // This is part of the old simple-minded splice. We are using it either

282 // because the receiver is not an array (so we have no choice) or because we	298 // because the receiver is not an array (so we have no choice) or because we

283 // know we are not deleting or moving a lot of elements.	299 // know we are not deleting or moving a lot of elements.

284 function SimpleSlice(array, start_i, del_count, len, deleted_elements) {	300 function SimpleSlice(array, start_i, del_count, len, deleted_elements) {

285 for (var i = 0; i < del_count; i++) {	301 for (var i = 0; i < del_count; i++) {

286 var index = start_i + i;	302 var index = start_i + i;

287 if (index in array) {	303 if (index in array) {

(...skipping 1268 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1556 ));	1572 ));

1557	1573

1558 SetUpLockedPrototype(InternalPackedArray, $Array(), $Array(	1574 SetUpLockedPrototype(InternalPackedArray, $Array(), $Array(

1559 "join", getFunction("join", ArrayJoin),	1575 "join", getFunction("join", ArrayJoin),

1560 "pop", getFunction("pop", ArrayPop),	1576 "pop", getFunction("pop", ArrayPop),

1561 "push", getFunction("push", ArrayPush)	1577 "push", getFunction("push", ArrayPush)

1562 ));	1578 ));

1563 }	1579 }

1564	1580

1565 SetUpArray();	1581 SetUpArray();

OLD	NEW

« no previous file with comments | « no previous file | test/mjsunit/bugs/bug-2615.js » ('j') | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698