Changeset 175249 in webkit
- Timestamp:
- Oct 28, 2014 8:29:51 AM (9 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
runtime/JSObject.cpp (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r175243 r175249 1 2014-10-27 Mark Lam <mark.lam@apple.com> 2 3 Holes are not copied properly when Arrays change shape to ArrayStorage type. 4 <https://webkit.org/b/138118> 5 6 Reviewed by Mark Hahnenberg. 7 8 When we convert non-ArrayStorage typed arrays into ArrayStorage typed arrays, 9 we skipped the holes. As a result, the slots in the ArrayStorage vector that 10 corresponds to those holes are uninitialize. This is now fixed. 11 12 * runtime/JSObject.cpp: 13 (JSC::JSObject::convertUndecidedToArrayStorage): 14 (JSC::JSObject::convertInt32ToArrayStorage): 15 (JSC::JSObject::convertDoubleToArrayStorage): 16 (JSC::JSObject::convertContiguousToArrayStorage): 17 1 18 2014-10-27 Mark Lam <mark.lam@apple.com> 2 19 -
trunk/Source/JavaScriptCore/runtime/JSObject.cpp
r175240 r175249 733 733 ArrayStorage* storage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength); 734 734 // No need to copy elements. 735 ASSERT(!m_butterfly->publicLength()); 735 736 736 737 Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition); … … 779 780 unsigned vectorLength = m_butterfly->vectorLength(); 780 781 ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength); 781 for (unsigned i = m_butterfly->publicLength(); i--;) {782 for (unsigned i = 0; i < m_butterfly->publicLength(); i++) { 782 783 JSValue v = m_butterfly->contiguous()[i].get(); 783 if (!v) 784 continue; 785 newStorage->m_vector[i].setWithoutWriteBarrier(v); 786 newStorage->m_numValuesInVector++; 784 if (v) { 785 newStorage->m_vector[i].setWithoutWriteBarrier(v); 786 newStorage->m_numValuesInVector++; 787 } else 788 newStorage->m_vector[i].clear(); 787 789 } 788 790 … … 848 850 unsigned vectorLength = m_butterfly->vectorLength(); 849 851 ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength); 850 for (unsigned i = m_butterfly->publicLength(); i--;) {852 for (unsigned i = 0; i < m_butterfly->publicLength(); i++) { 851 853 double value = m_butterfly->contiguousDouble()[i]; 852 if (value != value) 853 continue; 854 newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value)); 855 newStorage->m_numValuesInVector++; 854 if (value == value) { 855 newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value)); 856 newStorage->m_numValuesInVector++; 857 } else 858 newStorage->m_vector[i].clear(); 856 859 } 857 860 … … 873 876 unsigned vectorLength = m_butterfly->vectorLength(); 874 877 ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength); 875 for (unsigned i = m_butterfly->publicLength(); i--;) {878 for (unsigned i = 0; i < m_butterfly->publicLength(); i++) { 876 879 JSValue v = m_butterfly->contiguous()[i].get(); 877 if (!v) 878 continue; 879 newStorage->m_vector[i].setWithoutWriteBarrier(v); 880 newStorage->m_numValuesInVector++; 880 if (v) { 881 newStorage->m_vector[i].setWithoutWriteBarrier(v); 882 newStorage->m_numValuesInVector++; 883 } else 884 newStorage->m_vector[i].clear(); 881 885 } 882 886
Note: See TracChangeset
for help on using the changeset viewer.
