Changeset 207322 in webkit


Ignore:
Timestamp:
Oct 13, 2016 10:29:02 PM (7 years ago)
Author:
mark.lam@apple.com
Message:

Fix Array.prototype.splice ES6 compliance.
https://bugs.webkit.org/show_bug.cgi?id=163372

Reviewed by Geoffrey Garen and Yusuke Suzuki.

JSTests:

  • stress/array-splice-on-frozen-object.js: Added.

Source/JavaScriptCore:

Our Array.prototype.splice implementation neglected to set length on the result
array (step 12 of https://tc39.github.io/ecma262/#sec-array.prototype.splice) in
a certain code path. This is now fixed.

I'm deferring the implementation of step 8 till later because it requires more
careful consideration and the fix is of a lesser value (and therefore, of less
urgency). See https://bugs.webkit.org/show_bug.cgi?id=163417

Also added some needed exception checks and assertions.

  • runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncSplice):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r207235 r207322  
     12016-10-13  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix Array.prototype.splice ES6 compliance.
     4        https://bugs.webkit.org/show_bug.cgi?id=163372
     5
     6        Reviewed by Geoffrey Garen and Yusuke Suzuki.
     7
     8        * stress/array-splice-on-frozen-object.js: Added.
     9
    1102016-10-12  Keith Miller  <keith_miller@apple.com>
    211
  • trunk/Source/JavaScriptCore/ChangeLog

    r207312 r207322  
     12016-10-13  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix Array.prototype.splice ES6 compliance.
     4        https://bugs.webkit.org/show_bug.cgi?id=163372
     5
     6        Reviewed by Geoffrey Garen and Yusuke Suzuki.
     7
     8        Our Array.prototype.splice implementation neglected to set length on the result
     9        array (step 12 of https://tc39.github.io/ecma262/#sec-array.prototype.splice) in
     10        a certain code path.  This is now fixed.
     11
     12        I'm deferring the implementation of step 8 till later because it requires more
     13        careful consideration and the fix is of a lesser value (and therefore, of less
     14        urgency).  See https://bugs.webkit.org/show_bug.cgi?id=163417
     15
     16        Also added some needed exception checks and assertions.
     17
     18        * runtime/ArrayPrototype.cpp:
     19        (JSC::arrayProtoFuncSplice):
     20
    1212016-10-13  Joseph Pecoraro  <pecoraro@apple.com>
    222
  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r207241 r207322  
    923923
    924924    unsigned actualStart = argumentClampedIndexFromStartOrEnd(exec, 0, length);
     925    RETURN_IF_EXCEPTION(scope, encodedJSValue());
    925926
    926927    unsigned actualDeleteCount = length - actualStart;
     928    unsigned insertCount = 0;
    927929    if (exec->argumentCount() > 1) {
     930        insertCount = exec->argumentCount() - 2;
    928931        double deleteCount = exec->uncheckedArgument(1).toInteger(exec);
    929932        if (deleteCount < 0)
     
    935938    }
    936939
     940    // FIXME: Need to implement step 8 of the spec https://tc39.github.io/ecma262/#sec-array.prototype.splice here.
     941    // https://bugs.webkit.org/show_bug.cgi?id=163417
     942
    937943    std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, actualDeleteCount);
     944    ASSERT(!scope.exception() || speciesResult.first == SpeciesConstructResult::Exception);
    938945    if (speciesResult.first == SpeciesConstructResult::Exception)
    939         return JSValue::encode(jsUndefined());
     946        return encodedJSValue();
    940947
    941948    JSObject* result = nullptr;
     
    967974                result->initializeIndex(vm, k, v);
    968975            }
    969         }
    970     }
    971 
    972     unsigned itemCount = std::max<int>(exec->argumentCount() - 2, 0);
     976            ASSERT(!scope.exception());
     977        }
     978        setLength(exec, vm, result, actualDeleteCount);
     979        RETURN_IF_EXCEPTION(scope, encodedJSValue());
     980    }
     981
     982    unsigned itemCount = insertCount;
     983    ASSERT(itemCount == static_cast<unsigned>(std::max<int>(exec->argumentCount() - 2, 0)));
    973984    if (itemCount < actualDeleteCount) {
    974985        shift<JSArray::ShiftCountForSplice>(exec, thisObj, actualStart, actualDeleteCount, itemCount, length);
Note: See TracChangeset for help on using the changeset viewer.