Changeset 203033 in webkit
- Timestamp:
- Jul 9, 2016, 1:50:51 PM (9 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 3 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/js/regress/concat-append-one-expected.txt (added)
-
LayoutTests/js/regress/concat-append-one.html (added)
-
LayoutTests/js/regress/script-tests/concat-append-one.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (1 diff)
-
Source/JavaScriptCore/tests/stress/concat-with-holesMustForwardToPrototype.js (added)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r203029 r203033 1 2016-07-09 Keith Miller <keith_miller@apple.com> 2 3 appendMemcpy might fail in concatAppendOne 4 https://bugs.webkit.org/show_bug.cgi?id=159601 5 6 Reviewed by Mark Lam. 7 8 Add new microbenchmark testing the performance of concat 9 when appending one new element. This patch appears to be 10 about a 13% progression on this test. 11 12 * js/regress/concat-append-one-expected.txt: Added. 13 * js/regress/concat-append-one.html: Added. 14 * js/regress/script-tests/concat-append-one.js: Added. 15 (test): 16 1 17 2016-07-09 Youenn Fablet <youenn@apple.com> 2 18 -
trunk/Source/JavaScriptCore/ChangeLog
r203028 r203033 1 2016-07-09 Keith Miller <keith_miller@apple.com> 2 3 appendMemcpy might fail in concatAppendOne 4 https://bugs.webkit.org/show_bug.cgi?id=159601 5 <rdar://problem/27211300> 6 7 Reviewed by Mark Lam. 8 9 There are multiple reasons why we might fail appendMemcpy. One 10 reason, which I suspect was the source of the crashes, is that one 11 of the Array prototypes has an indexed property. This patch 12 consolidates the two old cases by just creating an array then 13 attempting to memcpy append. If that fails, we fall back to 14 moveElements. 15 16 * runtime/ArrayPrototype.cpp: 17 (JSC::concatAppendOne): 18 * tests/stress/concat-with-holesMustForwardToPrototype.js: Added. 19 (arrayEq): 20 1 21 2016-07-09 Benjamin Poulain <bpoulain@apple.com> 2 22 -
trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r202943 r203033 1048 1048 1049 1049 IndexingType type = first->mergeIndexingTypeForCopying(indexingTypeForValue(second) | IsArray); 1050 JSArray* result; 1051 if (type == NonArray) { 1052 result = constructEmptyArray(exec, nullptr, firstArraySize + 1); 1053 if (vm.exception()) 1054 return JSValue::encode(JSValue()); 1055 1050 if (type == NonArray) 1051 type = ArrayWithUndecided; 1052 1053 Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type); 1054 JSArray* result = JSArray::create(vm, resultStructure, firstArraySize + 1); 1055 if (!result) 1056 return JSValue::encode(throwOutOfMemoryError(exec)); 1057 1058 if (!result->appendMemcpy(exec, vm, 0, first)) { 1056 1059 if (!moveElements(exec, vm, result, 0, first, firstArraySize)) { 1057 1060 ASSERT(vm.exception()); 1058 1061 return JSValue::encode(JSValue()); 1059 1062 } 1060 1061 } else {1062 Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);1063 result = JSArray::tryCreateUninitialized(vm, resultStructure, firstArraySize + 1);1064 if (!result)1065 return JSValue::encode(throwOutOfMemoryError(exec));1066 1067 bool memcpyResult = result->appendMemcpy(exec, vm, 0, first);1068 RELEASE_ASSERT(memcpyResult);1069 1063 } 1070 1064
Note:
See TracChangeset
for help on using the changeset viewer.
