Reviewers: danno,
Message:
PTAL
Description:
Always check copy_size before getting accessor and trying to copy.
Please review this at https://chromiumcodereview.appspot.com/11348071/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/builtins.cc
Index: src/builtins.cc
diff --git a/src/builtins.cc b/src/builtins.cc
index
fb6f8f867ef395de85a5b824948f26e19f347334..79a4b5c229da1e10612ad65c354b2bcf0 d2b1ccd
100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -574,11 +574,13 @@ BUILTIN(ArrayPush) {
MaybeObject* maybe_obj =
heap->AllocateUninitializedFixedArray(capacity);
if (!maybe_obj->To(&new_elms)) return maybe_obj;
- ElementsAccessor* accessor = array->GetElementsAccessor();
- MaybeObject* maybe_failure =
- accessor->CopyElements(array, 0, new_elms, kind, 0, len,
elms_obj);
- ASSERT(!maybe_failure->IsFailure());
- USE(maybe_failure);
+ if (len > 0) {
+ ElementsAccessor* accessor = array->GetElementsAccessor();
+ MaybeObject* maybe_failure =
+ accessor->CopyElements(array, 0, new_elms, kind, 0, len,
elms_obj);
+ ASSERT(!maybe_failure->IsFailure());
+ USE(maybe_failure);
+ }
FillWithHoles(heap, new_elms, new_length, capacity);
elms = new_elms;
@@ -621,11 +623,13 @@ BUILTIN(ArrayPush) {
heap->AllocateUninitializedFixedDoubleArray(capacity);
if (!maybe_obj->To(&new_elms)) return maybe_obj;
- ElementsAccessor* accessor = array->GetElementsAccessor();
- MaybeObject* maybe_failure =
- accessor->CopyElements(array, 0, new_elms, kind, 0, len,
elms_obj);
- ASSERT(!maybe_failure->IsFailure());
- USE(maybe_failure);
+ if (len > 0) {
+ ElementsAccessor* accessor = array->GetElementsAccessor();
+ MaybeObject* maybe_failure =
+ accessor->CopyElements(array, 0, new_elms, kind, 0, len,
elms_obj);
+ ASSERT(!maybe_failure->IsFailure());
+ USE(maybe_failure);
+ }
FillWithHoles(new_elms, len + to_add, new_elms->length());
} else {
@@ -783,12 +787,14 @@ BUILTIN(ArrayUnshift) {
MaybeObject* maybe_elms =
heap->AllocateUninitializedFixedArray(capacity);
if (!maybe_elms->To(&new_elms)) return maybe_elms;
- ElementsKind kind = array->GetElementsKind();
- ElementsAccessor* accessor = array->GetElementsAccessor();
- MaybeObject* maybe_failure =
- accessor->CopyElements(array, 0, new_elms, kind, to_add, len,
elms);
- ASSERT(!maybe_failure->IsFailure());
- USE(maybe_failure);
+ if (len > 0) {
+ ElementsKind kind = array->GetElementsKind();
+ ElementsAccessor* accessor = array->GetElementsAccessor();
+ MaybeObject* maybe_failure =
+ accessor->CopyElements(array, 0, new_elms, kind, to_add, len,
elms);
+ ASSERT(!maybe_failure->IsFailure());
+ USE(maybe_failure);
+ }
FillWithHoles(heap, new_elms, new_length, capacity);
elms = new_elms;
@@ -929,6 +935,8 @@ BUILTIN(ArraySlice) {
MaybeObject* maybe_array = heap->AllocateJSArrayAndStorage(kind,
result_len,
result_len);
+
+ if (result_len == 0) return maybe_array;
if (!maybe_array->To(&result_array)) return maybe_array;
ElementsAccessor* accessor = object->GetElementsAccessor();
@@ -1095,19 +1103,23 @@ BUILTIN(ArraySplice) {
MaybeObject* maybe_obj =
heap->AllocateUninitializedFixedArray(capacity);
if (!maybe_obj->To(&new_elms)) return maybe_obj;
- // Copy the part before actual_start as is.
ElementsKind kind = array->GetElementsKind();
ElementsAccessor* accessor = array->GetElementsAccessor();
- MaybeObject* maybe_failure = accessor->CopyElements(
- array, 0, new_elms, kind, 0, actual_start, elms);
- ASSERT(!maybe_failure->IsFailure());
- USE(maybe_failure);
+ if (actual_start > 0) {
+ // Copy the part before actual_start as is.
+ MaybeObject* maybe_failure = accessor->CopyElements(
+ array, 0, new_elms, kind, 0, actual_start, elms);
+ ASSERT(!maybe_failure->IsFailure());
+ USE(maybe_failure);
+ }
const int to_copy = len - actual_delete_count - actual_start;
- maybe_failure = accessor->CopyElements(
- array, actual_start + actual_delete_count, new_elms, kind,
- actual_start + item_count, to_copy, elms);
- ASSERT(!maybe_failure->IsFailure());
- USE(maybe_failure);
+ if (to_copy > 0) {
+ MaybeObject* maybe_failure = accessor->CopyElements(
+ array, actual_start + actual_delete_count, new_elms, kind,
+ actual_start + item_count, to_copy, elms);
+ ASSERT(!maybe_failure->IsFailure());
+ USE(maybe_failure);
+ }
FillWithHoles(heap, new_elms, new_length, capacity);
@@ -1186,14 +1198,9 @@ BUILTIN(ArrayConcat) {
}
ElementsKind arg_kind = JSArray::cast(arg)->map()->elements_kind();
- ElementsKind packed_kind = GetPackedElementsKind(arg_kind);
- if (IsMoreGeneralElementsKindTransition(
- GetPackedElementsKind(elements_kind), packed_kind)) {
- if (IsFastHoleyElementsKind(elements_kind)) {
- elements_kind = GetHoleyElementsKind(arg_kind);
- } else {
- elements_kind = arg_kind;
- }
+ if (IsMoreGeneralElementsKindTransition(elements_kind, arg_kind)) {
+ elements_kind = IsFastHoleyElementsKind(elements_kind)
+ ? GetHoleyElementsKind(arg_kind) : arg_kind;
}
}
@@ -1210,12 +1217,14 @@ BUILTIN(ArrayConcat) {
FixedArrayBase* storage = result_array->elements();
for (int i = 0; i < n_arguments; i++) {
JSArray* array = JSArray::cast(args[i]);
- ElementsAccessor* accessor = array->GetElementsAccessor();
int len = Smi::cast(array->length())->value();
- MaybeObject* maybe_failure =
- accessor->CopyElements(array, 0, storage, elements_kind, j, len);
- if (maybe_failure->IsFailure()) return maybe_failure;
- j += len;
+ if (len > 0) {
+ ElementsAccessor* accessor = array->GetElementsAccessor();
+ MaybeObject* maybe_failure =
+ accessor->CopyElements(array, 0, storage, elements_kind, j, len);
+ if (maybe_failure->IsFailure()) return maybe_failure;
+ j += len;
+ }
}
ASSERT(j == result_len);
