test/webkit/array-splice.js · a41aaf78e1fb40701568e0a788ea5167c7d38ec4 · Linshizhi / V8

[builtins] Enable Torque Array.prototype.splice · fd334b32

Mike Stanton authored Sep 04, 2018

Before, splice was implemented with a C++ fast path and a
comprehensive JavaScript version.

This impl. is entirely in Torque with a fastpath for SMI,
DOUBLE and OBJECT arrays, and a comprehensive slow path.
The same level of "sparse" array support as given by the
array.js implementation is included.

This reland addresses several issues:

* Removed "sparse" array support from splice.
* Addressed ClusterFuzz issue 876443:
  The test and code that uses the fix is in this CL.
  The fix in isolation can be seen here:
  https://chromium-review.googlesource.com/c/v8/v8/+/1199403
* Removed dead code in elements.cc

BUG=chromium:876443, v8:8131, v8:1956, v8:7221

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1
Reviewed-on: https://chromium-review.googlesource.com/1201783
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55610}

fd334b32

array-splice.js 2.3 KB

Replace array-splice.js