[builtins] fix slow-path handling of -Infinity in ArrayIncludes

This is a speculative fix, but I believe it might work. Idea is to keep `start_from` as a double while establishing an appropriate index to begin iteration. This should keep -Infinity intact rather than converting it to a positive high value, which would break the algorithm. This is similar to what had been implemented on the fast path before it was changed to send non-Smis to the slow path. BUG=v8:5986 R=bmeurer@chromium.org, cbruni@chromium.org, machenbach@chromium.org, adamk@chromium.org Change-Id: I9965fd2e75a8972f3f1c7a18e51bd580030a66ea Reviewed-on: https://chromium-review.googlesource.com/445857 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#43358}

[builtins] fix slow-path handling of -Infinity in ArrayIncludes
This is a speculative fix, but I believe it might work. Idea is to keep `start_from` as a double while establishing an appropriate index to begin iteration. This should keep -Infinity intact rather than converting it to a positive high value, which would break the algorithm. This is similar to what had been implemented on the fast path before it was changed to send non-Smis to the slow path. BUG=v8:5986 R=bmeurer@chromium.org, cbruni@chromium.org, machenbach@chromium.org, adamk@chromium.org Change-Id: I9965fd2e75a8972f3f1c7a18e51bd580030a66ea Reviewed-on: https://chromium-review.googlesource.com/445857 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#43358}
4cd8a8b7 · Caitlin Potter · Commit Bot · 8235558b · 4cd8a8b7 · 4cd8a8b7
Commit 4cd8a8b7 authored Feb 21, 2017 by Caitlin Potter Committed by Commit Bot Feb 21, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 13 deletions

runtime-array.cc src/runtime/runtime-array.cc +22 -13

array-includes.js test/mjsunit/es7/array-includes.js +1 -0

No files found.
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -475,23 +475,32 @@ RUNTIME_FUNCTION(Runtime_ArrayIncludes_Slow) {

  // Let n be ? ToInteger(fromIndex). (If fromIndex is undefined, this step
  // produces the value 0.)
-  int64_t start_from;
-  {
+  int64_t index = 0;
+  if (!from_index->IsUndefined(isolate)) {
    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, from_index,
                                       Object::ToInteger(isolate, from_index));
-    double fp = from_index->Number();
-    if (fp > len) return isolate->heap()->false_value();
-    start_from = static_cast<int64_t>(fp);
-  }

-  int64_t index;
-  if (start_from >= 0) {
-    index = start_from;
-  } else {
-    index = len + start_from;
-    if (index < 0) {
-      index = 0;
+    if (V8_LIKELY(from_index->IsSmi())) {
+      int start_from = Smi::cast(*from_index)->value();
+      if (start_from < 0) {
+        index = std::max<int64_t>(len + start_from, 0);
+      } else {
+        index = start_from;
+      }
+    } else {
+      DCHECK(from_index->IsHeapNumber());
+      double start_from = from_index->Number();
+      if (start_from >= len) return isolate->heap()->false_value();
+      if (V8_LIKELY(std::isfinite(start_from))) {
+        if (start_from < 0) {
+          index = static_cast<int64_t>(std::max<double>(start_from + len, 0));
+        } else {
+          index = start_from;
+        }
+      }
    }
+
+    DCHECK_GE(index, 0);
  }

  // If the receiver is not a special receiver type, and the length is a valid

--- a/test/mjsunit/es7/array-includes.js
+++ b/test/mjsunit/es7/array-includes.js
@@ -316,6 +316,7 @@

  assertFalse(Array.prototype.includes.call(arrayLikeWithTraps, "c", 2.1));
  assertFalse(Array.prototype.includes.call(arrayLikeWithTraps, "c", +Infinity));
+  assertFalse(["a", "b", "c"].includes("a", +Infinity));
  assertTrue(["a", "b", "c"].includes("a", -Infinity));
  assertTrue(["a", "b", "c"].includes("c", 2.9));
  assertTrue(["a", "b", "c"].includes("c", NaN));