Changeset 207322 in webkit
- Timestamp:
- Oct 13, 2016 10:29:02 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r207235 r207322 1 2016-10-13 Mark Lam <mark.lam@apple.com> 2 3 Fix Array.prototype.splice ES6 compliance. 4 https://bugs.webkit.org/show_bug.cgi?id=163372 5 6 Reviewed by Geoffrey Garen and Yusuke Suzuki. 7 8 * stress/array-splice-on-frozen-object.js: Added. 9 1 10 2016-10-12 Keith Miller <keith_miller@apple.com> 2 11 -
trunk/Source/JavaScriptCore/ChangeLog
r207312 r207322 1 2016-10-13 Mark Lam <mark.lam@apple.com> 2 3 Fix Array.prototype.splice ES6 compliance. 4 https://bugs.webkit.org/show_bug.cgi?id=163372 5 6 Reviewed by Geoffrey Garen and Yusuke Suzuki. 7 8 Our Array.prototype.splice implementation neglected to set length on the result 9 array (step 12 of https://tc39.github.io/ecma262/#sec-array.prototype.splice) in 10 a certain code path. This is now fixed. 11 12 I'm deferring the implementation of step 8 till later because it requires more 13 careful consideration and the fix is of a lesser value (and therefore, of less 14 urgency). See https://bugs.webkit.org/show_bug.cgi?id=163417 15 16 Also added some needed exception checks and assertions. 17 18 * runtime/ArrayPrototype.cpp: 19 (JSC::arrayProtoFuncSplice): 20 1 21 2016-10-13 Joseph Pecoraro <pecoraro@apple.com> 2 22 -
trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r207241 r207322 923 923 924 924 unsigned actualStart = argumentClampedIndexFromStartOrEnd(exec, 0, length); 925 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 925 926 926 927 unsigned actualDeleteCount = length - actualStart; 928 unsigned insertCount = 0; 927 929 if (exec->argumentCount() > 1) { 930 insertCount = exec->argumentCount() - 2; 928 931 double deleteCount = exec->uncheckedArgument(1).toInteger(exec); 929 932 if (deleteCount < 0) … … 935 938 } 936 939 940 // FIXME: Need to implement step 8 of the spec https://tc39.github.io/ecma262/#sec-array.prototype.splice here. 941 // https://bugs.webkit.org/show_bug.cgi?id=163417 942 937 943 std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, actualDeleteCount); 944 ASSERT(!scope.exception() || speciesResult.first == SpeciesConstructResult::Exception); 938 945 if (speciesResult.first == SpeciesConstructResult::Exception) 939 return JSValue::encode(jsUndefined());946 return encodedJSValue(); 940 947 941 948 JSObject* result = nullptr; … … 967 974 result->initializeIndex(vm, k, v); 968 975 } 969 } 970 } 971 972 unsigned itemCount = std::max<int>(exec->argumentCount() - 2, 0); 976 ASSERT(!scope.exception()); 977 } 978 setLength(exec, vm, result, actualDeleteCount); 979 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 980 } 981 982 unsigned itemCount = insertCount; 983 ASSERT(itemCount == static_cast<unsigned>(std::max<int>(exec->argumentCount() - 2, 0))); 973 984 if (itemCount < actualDeleteCount) { 974 985 shift<JSArray::ShiftCountForSplice>(exec, thisObj, actualStart, actualDeleteCount, itemCount, length);
Note: See TracChangeset
for help on using the changeset viewer.