Commit 2e0fea16 authored by fpizlo@apple.com's avatar fpizlo@apple.com

JSObject.cpp and JSArray.cpp have inconsistent tests for the invalid array index case

https://bugs.webkit.org/show_bug.cgi?id=96878

Reviewed by Sam Weinig.

Removed the uses of UNLIKELY() because I don't believe they are buying us anything,
since we're already on the slow path. Also found other places where we're testing for
the invalid array index case using unusual predicates rather than just using
MAX_ARRAY_INDEX. With this change, I believe that all of our tests for invalid
array indices (i.e. indices that should be treated as non-indexed properties)
uniformly use MAX_ARRAY_INDEX and PropertyName::NotAnIndex.

* runtime/JSArray.cpp:
(JSC::JSArray::push):
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndex):
(JSC::JSObject::defineOwnIndexedProperty):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128706 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 6ee5c9da
2012-09-16 Filip Pizlo <fpizlo@apple.com>
JSObject.cpp and JSArray.cpp have inconsistent tests for the invalid array index case
https://bugs.webkit.org/show_bug.cgi?id=96878
Reviewed by Sam Weinig.
Removed the uses of UNLIKELY() because I don't believe they are buying us anything,
since we're already on the slow path. Also found other places where we're testing for
the invalid array index case using unusual predicates rather than just using
MAX_ARRAY_INDEX. With this change, I believe that all of our tests for invalid
array indices (i.e. indices that should be treated as non-indexed properties)
uniformly use MAX_ARRAY_INDEX and PropertyName::NotAnIndex.
* runtime/JSArray.cpp:
(JSC::JSArray::push):
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndex):
(JSC::JSObject::defineOwnIndexedProperty):
2012-09-15 Filip Pizlo <fpizlo@apple.com>
Following the Butterfly refactoring, the comment for lastArraySize was not updated
......
......@@ -477,8 +477,8 @@ void JSArray::push(ExecState* exec, JSValue value)
return;
}
// Pushing to an array of length 2^32-1 stores the property, but throws a range error.
if (UNLIKELY(storage->length() == 0xFFFFFFFFu)) {
// Pushing to an array of invalid length (2^31-1) stores the property, but throws a range error.
if (storage->length() > MAX_ARRAY_INDEX) {
methodTable()->putByIndex(this, exec, storage->length(), value, true);
// Per ES5.1 15.4.4.7 step 6 & 15.4.5.1 step 3.d.
if (!exec->hadException())
......
......@@ -347,7 +347,7 @@ void JSObject::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName,
JSObject* thisObject = jsCast<JSObject*>(cell);
thisObject->checkIndexingConsistency();
if (UNLIKELY(propertyName > MAX_ARRAY_INDEX)) {
if (propertyName > MAX_ARRAY_INDEX) {
PutPropertySlot slot(shouldThrow);
thisObject->methodTable()->put(thisObject, exec, Identifier::from(exec, propertyName), value, slot);
return;
......@@ -980,7 +980,7 @@ void JSObject::putIndexedDescriptor(ExecState* exec, SparseArrayEntry* entryInMa
// Defined in ES5.1 8.12.9
bool JSObject::defineOwnIndexedProperty(ExecState* exec, unsigned index, PropertyDescriptor& descriptor, bool throwException)
{
ASSERT(index != 0xFFFFFFFF);
ASSERT(index <= MAX_ARRAY_INDEX);
if (!inSparseIndexingMode()) {
// Fast case: we're putting a regular property to a regular array
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment