• Mike Stanton's avatar
    [builtins] Enable Torque Array.prototype.splice · fd334b32
    Mike Stanton authored
    Before, splice was implemented with a C++ fast path and a
    comprehensive JavaScript version.
    
    This impl. is entirely in Torque with a fastpath for SMI,
    DOUBLE and OBJECT arrays, and a comprehensive slow path.
    The same level of "sparse" array support as given by the
    array.js implementation is included.
    
    This reland addresses several issues:
    
    * Removed "sparse" array support from splice.
    * Addressed ClusterFuzz issue 876443:
      The test and code that uses the fix is in this CL.
      The fix in isolation can be seen here:
      https://chromium-review.googlesource.com/c/v8/v8/+/1199403
    * Removed dead code in elements.cc
    
    BUG=chromium:876443, v8:8131, v8:1956, v8:7221
    
    Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
    Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1
    Reviewed-on: https://chromium-review.googlesource.com/1201783
    Commit-Queue: Michael Stanton <mvstanton@chromium.org>
    Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#55610}
    fd334b32
code-stub-assembler.h 145 KB