Commit 4d70aa02 authored by Daniel Clifford's avatar Daniel Clifford Committed by Commit Bot

Fix hole handling in fast arguments slice

Bug: chromium:784080
Change-Id: I38c539435d867f6abb80218457e5b5a982e34817
Reviewed-on: https://chromium-review.googlesource.com/785210Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49571}
parent eeb32224
...@@ -1166,15 +1166,25 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler { ...@@ -1166,15 +1166,25 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
BuildFastLoop( BuildFastLoop(
var_list, from_mapped, to, var_list, from_mapped, to,
[this, result_elements, arguments_context, sloppy_elements, [this, result_elements, arguments_context, sloppy_elements,
&index_out](Node* current) { unmapped_elements, &index_out](Node* current) {
Node* context_index = LoadFixedArrayElement( Node* context_index = LoadFixedArrayElement(
sloppy_elements, current, sloppy_elements, current,
kPointerSize * SloppyArgumentsElements::kParameterMapStart, kPointerSize * SloppyArgumentsElements::kParameterMapStart,
SMI_PARAMETERS); SMI_PARAMETERS);
Node* argument = Label is_the_hole(this), done(this);
GotoIf(IsTheHole(context_index), &is_the_hole);
Node* mapped_argument =
LoadContextElement(arguments_context, SmiUntag(context_index)); LoadContextElement(arguments_context, SmiUntag(context_index));
StoreFixedArrayElement(result_elements, index_out.value(),
mapped_argument, SKIP_WRITE_BARRIER);
Goto(&done);
BIND(&is_the_hole);
Node* argument = LoadFixedArrayElement(unmapped_elements, current, 0,
SMI_PARAMETERS);
StoreFixedArrayElement(result_elements, index_out.value(), argument, StoreFixedArrayElement(result_elements, index_out.value(), argument,
SKIP_WRITE_BARRIER); SKIP_WRITE_BARRIER);
Goto(&done);
BIND(&done);
index_out.Bind(IntPtrAdd(index_out.value(), IntPtrConstant(1))); index_out.Bind(IntPtrAdd(index_out.value(), IntPtrConstant(1)));
}, },
1, SMI_PARAMETERS, IndexAdvanceMode::kPost); 1, SMI_PARAMETERS, IndexAdvanceMode::kPost);
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function() {
function f(a, b, a) {
return Array.prototype.slice.call(arguments);
}
let result = f(456, 789, 111112);
assertEquals(result[0], 456);
assertEquals(result[1], 789);
assertEquals(result[2], 111112);
assertEquals(result.length, 3);
})();
(function() {
function f(a, b, a) {
return Array.prototype.slice.call(arguments);
}
let result = f(456, 789, 111112, 543, 654);
assertEquals(result[0], 456);
assertEquals(result[1], 789);
assertEquals(result[2], 111112);
assertEquals(result[3], 543);
assertEquals(result[4], 654);
assertEquals(result.length, 5);
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment