src/array.js - Issue 679113003: Correctly handle Array unshift/splices that move elements past the max length of an Array

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/array.js

Issue 679113003: Correctly handle Array unshift/splices that move elements past the max length of an Array (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 6 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/array.js

diff --git a/src/array.js b/src/array.js

index 29fa8318e2bfee8c8cfa4ba95af4da5bd777590e..ff14b3583f2ba5ee08b2f37015eff889a642a53e 100644

--- a/src/array.js

+++ b/src/array.js

@@ -238,7 +238,10 @@ function SparseMove(array, start_i, del_count, len, num_additional_args) {

// Bail out if no moving is necessary.

if (num_additional_args === del_count) return;

// Move data to new array.

- var new_array = new InternalArray(len - del_count + num_additional_args);

+ var new_array = new InternalArray(

+ // Clamp array length to 2^32-1 to avoid early RangeError.

+ MathMin(len - del_count + num_additional_args, 0xffffffff));

+ var big_indices;

var indices = %GetArrayKeys(array, len);

if (IS_NUMBER(indices)) {

var limit = indices;

@@ -267,7 +270,12 @@ function SparseMove(array, start_i, del_count, len, num_additional_args) {

} else if (key >= start_i + del_count) {

var current = array[key];

if (!IS_UNDEFINED(current) || key in array) {

- new_array[key - del_count + num_additional_args] = current;

+ var new_key = key - del_count + num_additional_args;

+ new_array[new_key] = current;

+ if (new_key > 0xffffffff) {

Toon Verwaest 2014/11/11 13:22:21 Shouldn't this be >=? NOTE A String property name

adamk 2014/11/11 18:01:01 This is a weird corner-case in V8: indexed propert

+ big_indices = big_indices || new InternalArray();

+ big_indices.push(new_key);

+ }

}

@@ -275,6 +283,14 @@ function SparseMove(array, start_i, del_count, len, num_additional_args) {

}

// Move contents of new_array into this array

%MoveArrayContents(new_array, array);

+ // Add any moved values that aren't elements anymore.

+ if (!IS_UNDEFINED(big_indices)) {

+ var length = big_indices.length;

+ for (var i = 0; i < length; ++i) {

+ var key = big_indices[i];

+ array[key] = new_array[key];

+ }

}

« no previous file with comments | « no previous file | test/mjsunit/bugs/bug-2615.js » ('j') | no next file with comments »