Commit 8fd5e34c authored by fpizlo@apple.com's avatar fpizlo@apple.com

We shouldn't use the optimized versions of shift/unshift if the user is doing...

We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
https://bugs.webkit.org/show_bug.cgi?id=97603
<rdar://problem/12370864>

Reviewed by Gavin Barraclough.

You changed the length behind our backs? No optimizations for you then!

* runtime/ArrayPrototype.cpp:
(JSC::shift):
(JSC::unshift):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCount):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129577 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 2d9c05f9
2012-09-25 Filip Pizlo <fpizlo@apple.com>
We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
https://bugs.webkit.org/show_bug.cgi?id=97603
<rdar://problem/12370864>
Reviewed by Gavin Barraclough.
You changed the length behind our backs? No optimizations for you then!
* runtime/ArrayPrototype.cpp:
(JSC::shift):
(JSC::unshift):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCount):
2012-09-25 Filip Pizlo <fpizlo@apple.com>
JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode
......
......@@ -202,8 +202,11 @@ static inline void shift(ExecState* exec, JSObject* thisObj, unsigned header, un
ASSERT(header <= length);
ASSERT(currentCount <= (length - header));
if (!header && isJSArray(thisObj) && asArray(thisObj)->shiftCount(exec, count))
return;
if (!header && isJSArray(thisObj)) {
JSArray* array = asArray(thisObj);
if (array->length() == length && asArray(thisObj)->shiftCount(exec, count))
return;
}
for (unsigned k = header; k < length - currentCount; ++k) {
unsigned from = k + currentCount;
......@@ -242,8 +245,11 @@ static inline void unshift(ExecState* exec, JSObject* thisObj, unsigned header,
return;
}
if (!header && isJSArray(thisObj) && asArray(thisObj)->unshiftCount(exec, count))
return;
if (!header && isJSArray(thisObj)) {
JSArray* array = asArray(thisObj);
if (array->length() == length && asArray(thisObj)->unshiftCount(exec, count))
return;
}
for (unsigned k = length - currentCount; k > header; --k) {
unsigned from = k + currentCount - 1;
......
......@@ -499,6 +499,7 @@ bool JSArray::shiftCount(ExecState* exec, unsigned count)
ArrayStorage* storage = ensureArrayStorage(exec->globalData());
unsigned oldLength = storage->length();
ASSERT(count <= oldLength);
// If the array contains holes or is otherwise in an abnormal state,
// use the generic algorithm in ArrayPrototype.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment