Always check copy_size before getting accessor and trying to copy.

Review URL: https://chromiumcodereview.appspot.com/11348071 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13001 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Always check copy_size before getting accessor and trying to copy.
Review URL: https://chromiumcodereview.appspot.com/11348071 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13001 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
397f5291 · verwaest@chromium.org · 08cfda49 · 397f5291
Commit 397f5291 authored Nov 19, 2012 by verwaest@chromium.org
Show whitespace changes
Inline Side-by-side

Showing with 48 additions and 39 deletions

builtins.cc src/builtins.cc +48 -39

No files found.
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -574,11 +574,13 @@ BUILTIN(ArrayPush) {
      MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity);
      if (!maybe_obj->To(&new_elms)) return maybe_obj;

+      if (len > 0) {
        ElementsAccessor* accessor = array->GetElementsAccessor();
        MaybeObject* maybe_failure =
            accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj);
        ASSERT(!maybe_failure->IsFailure());
        USE(maybe_failure);
+      }
      FillWithHoles(heap, new_elms, new_length, capacity);

      elms = new_elms;
@@ -621,11 +623,13 @@ BUILTIN(ArrayPush) {
          heap->AllocateUninitializedFixedDoubleArray(capacity);
      if (!maybe_obj->To(&new_elms)) return maybe_obj;

+      if (len > 0) {
        ElementsAccessor* accessor = array->GetElementsAccessor();
        MaybeObject* maybe_failure =
            accessor->CopyElements(array, 0, new_elms, kind, 0, len, elms_obj);
        ASSERT(!maybe_failure->IsFailure());
        USE(maybe_failure);
+      }

      FillWithHoles(new_elms, len + to_add, new_elms->length());
    } else {
@@ -783,12 +787,14 @@ BUILTIN(ArrayUnshift) {
    MaybeObject* maybe_elms = heap->AllocateUninitializedFixedArray(capacity);
    if (!maybe_elms->To(&new_elms)) return maybe_elms;

+    if (len > 0) {
      ElementsKind kind = array->GetElementsKind();
      ElementsAccessor* accessor = array->GetElementsAccessor();
      MaybeObject* maybe_failure =
          accessor->CopyElements(array, 0, new_elms, kind, to_add, len, elms);
      ASSERT(!maybe_failure->IsFailure());
      USE(maybe_failure);
+    }

    FillWithHoles(heap, new_elms, new_length, capacity);
    elms = new_elms;
@@ -929,6 +935,8 @@ BUILTIN(ArraySlice) {
  MaybeObject* maybe_array = heap->AllocateJSArrayAndStorage(kind,
                                                             result_len,
                                                             result_len);
+
+  if (result_len == 0) return maybe_array;
  if (!maybe_array->To(&result_array)) return maybe_array;

  ElementsAccessor* accessor = object->GetElementsAccessor();
@@ -1095,19 +1103,23 @@ BUILTIN(ArraySplice) {
      MaybeObject* maybe_obj = heap->AllocateUninitializedFixedArray(capacity);
      if (!maybe_obj->To(&new_elms)) return maybe_obj;

-      // Copy the part before actual_start as is.
      ElementsKind kind = array->GetElementsKind();
      ElementsAccessor* accessor = array->GetElementsAccessor();
+      if (actual_start > 0) {
+        // Copy the part before actual_start as is.
        MaybeObject* maybe_failure = accessor->CopyElements(
            array, 0, new_elms, kind, 0, actual_start, elms);
        ASSERT(!maybe_failure->IsFailure());
        USE(maybe_failure);
+      }
      const int to_copy = len - actual_delete_count - actual_start;
-      maybe_failure = accessor->CopyElements(
+      if (to_copy > 0) {
+        MaybeObject* maybe_failure = accessor->CopyElements(
            array, actual_start + actual_delete_count, new_elms, kind,
            actual_start + item_count, to_copy, elms);
        ASSERT(!maybe_failure->IsFailure());
        USE(maybe_failure);
+      }

      FillWithHoles(heap, new_elms, new_length, capacity);

@@ -1186,14 +1198,9 @@ BUILTIN(ArrayConcat) {
    }

    ElementsKind arg_kind = JSArray::cast(arg)->map()->elements_kind();
-    ElementsKind packed_kind = GetPackedElementsKind(arg_kind);
-    if (IsMoreGeneralElementsKindTransition(
-            GetPackedElementsKind(elements_kind), packed_kind)) {
-      if (IsFastHoleyElementsKind(elements_kind)) {
-        elements_kind = GetHoleyElementsKind(arg_kind);
-      } else {
-        elements_kind = arg_kind;
-      }
+    if (IsMoreGeneralElementsKindTransition(elements_kind, arg_kind)) {
+      elements_kind = IsFastHoleyElementsKind(elements_kind)
+          ? GetHoleyElementsKind(arg_kind) : arg_kind;
    }
  }

@@ -1210,13 +1217,15 @@ BUILTIN(ArrayConcat) {
  FixedArrayBase* storage = result_array->elements();
  for (int i = 0; i < n_arguments; i++) {
    JSArray* array = JSArray::cast(args[i]);
-    ElementsAccessor* accessor = array->GetElementsAccessor();
    int len = Smi::cast(array->length())->value();
+    if (len > 0) {
+      ElementsAccessor* accessor = array->GetElementsAccessor();
      MaybeObject* maybe_failure =
          accessor->CopyElements(array, 0, storage, elements_kind, j, len);
      if (maybe_failure->IsFailure()) return maybe_failure;
      j += len;
    }
+  }

  ASSERT(j == result_len);