• littledan's avatar
    Avoid calling %AddElement with a number out of array index range · 700bbdc6
    littledan authored
    This patch wraps callsites to %AddElement to fall back to adding a
    named property in case it is given an argument of 2**32 or greater.
    The change is needed because %AddElement is called by Array functions
    in various places, and ES2015 changes these Array functions to use
    ToLength rather than ToUint32, so several callsites of %AddElement
    which used to be reliable array indices may be larger numbers. While
    the proper long-term solution may be to call out to
    Object.defineProperty, this fix should allow the ToLength semantics
    to be shipped while preserving correctness and not requiring a
    rewrite.
    
    BUG=v8:4516
    LOG=Y
    R=adamk
    TEST=Interactively ran Array.prototype.slice on an Array-like which
    exceeded array bounds, and found that this did not check-fail at
    runtime as it did before.
    Microbenchmarked this technique against the previous version on a
    simple reverse implementation and found at most a 1% slowdown, as
    opposed to other techniques, like calling %DefineDataPropertyUnchecked,
    which had a 20% slowdown or Object.defineProperty with a 80% slowdown.
    
    Review URL: https://codereview.chromium.org/1420663003
    
    Cr-Commit-Position: refs/heads/master@{#31640}
    700bbdc6
harmony-array.js 7.29 KB