Changeset 167252 in webkit


Ignore:
Timestamp:
Apr 14, 2014 10:26:28 AM (10 years ago)
Author:
akling@apple.com
Message:

Unreviewed, rolling out r167249.
https://bugs.webkit.org/show_bug.cgi?id=131621

broke 3 tests on cloop (Requested by kling on #webkit).

Reverted changeset:

"Array.prototype.concat should allocate output storage only
once."
https://bugs.webkit.org/show_bug.cgi?id=131609
http://trac.webkit.org/changeset/167249

Patch by Commit Queue <commit-queue@webkit.org> on 2014-04-14

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r167250 r167252  
     12014-04-14  Commit Queue  <commit-queue@webkit.org>
     2
     3        Unreviewed, rolling out r167249.
     4        https://bugs.webkit.org/show_bug.cgi?id=131621
     5
     6        broke 3 tests on cloop (Requested by kling on #webkit).
     7
     8        Reverted changeset:
     9
     10        "Array.prototype.concat should allocate output storage only
     11        once."
     12        https://bugs.webkit.org/show_bug.cgi?id=131609
     13        http://trac.webkit.org/changeset/167249
     14
    1152014-04-14  Alex Christensen  <achristensen@webkit.org>
    216

  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r167249 r167252  
    147147
    148148// Helper function
    149 static ALWAYS_INLINE JSValue getProperty(ExecState* exec, JSObject* obj, unsigned index)
     149static JSValue getProperty(ExecState* exec, JSObject* obj, unsigned index)
    150150{
    151151    PropertySlot slot(obj);
     
    417417{
    418418    JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
     419    JSArray* arr = constructEmptyArray(exec, nullptr);
     420    unsigned n = 0;
     421    JSValue curArg = thisValue.toObject(exec);
     422    if (exec->hadException())
     423        return JSValue::encode(jsUndefined());
     424    size_t i = 0;
    419425    size_t argCount = exec->argumentCount();
    420     JSValue curArg = thisValue.toObject(exec);
    421     Checked<unsigned, RecordOverflow> finalArraySize = 0;
    422 
    423     for (size_t i = 0; i <= argCount; ++i) {
    424         if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg))
    425             finalArraySize += currentArray->length();
    426         else
    427             finalArraySize++;
    428         curArg = exec->uncheckedArgument(i);
    429     }
    430 
    431     if (finalArraySize.hasOverflowed())
    432         return JSValue::encode(throwOutOfMemoryError(exec));
    433 
    434     JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize.unsafeGet());
    435     if (exec->hadException())
    436         return JSValue::encode(jsUndefined());
    437 
    438     curArg = thisValue.toObject(exec);
    439     unsigned n = 0;
    440     size_t i = 0;
    441426    while (1) {
    442         if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
    443             unsigned length = currentArray->length();
     427        if (curArg.inherits(JSArray::info())) {
     428            unsigned length = curArg.get(exec, exec->propertyNames().length).toUInt32(exec);
     429            JSObject* curObject = curArg.toObject(exec);
    444430            for (unsigned k = 0; k < length; ++k) {
    445                 JSValue v = getProperty(exec, currentArray, k);
     431                JSValue v = getProperty(exec, curObject, k);
    446432                if (exec->hadException())
    447433                    return JSValue::encode(jsUndefined());
Note: See TracChangeset for help on using the changeset viewer.