[builtins] Fix missing check in Array.prototype.filter.

This fixes a missing fast-path check in the code-stub implementation of the {Array.prototype.filter} method. Appending to the target JSArray is only correct if the underlying length did not change. R=jgruber@chromium.org TEST=mjsunit/regress/regress-6657 BUG=v8:6657 Change-Id: Ida8d3511485b649b70d9a4b161742d494ebe4dac Reviewed-on: https://chromium-review.googlesource.com/600467Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47156}

[builtins] Fix missing check in Array.prototype.filter.
This fixes a missing fast-path check in the code-stub implementation of the {Array.prototype.filter} method. Appending to the target JSArray is only correct if the underlying length did not change. R=jgruber@chromium.org TEST=mjsunit/regress/regress-6657 BUG=v8:6657 Change-Id: Ida8d3511485b649b70d9a4b161742d494ebe4dac Reviewed-on: https://chromium-review.googlesource.com/600467Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#47156}
b329b249 · Michael Starzinger · Commit Bot · 56f39229 · b329b249 · b329b249
Commit b329b249 authored Aug 03, 2017 by Michael Starzinger Committed by Commit Bot Aug 04, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 0 deletions

builtins-array-gen.cc src/builtins/builtins-array-gen.cc +1 -0

regress-6657.js test/mjsunit/regress/regress-6657.js +38 -0

No files found.
--- a/src/builtins/builtins-array-gen.cc
+++ b/src/builtins/builtins-array-gen.cc
@@ -116,6 +116,7 @@ class ArrayBuiltinCodeStubAssembler : public CodeStubAssembler {

      BIND(&fast);
      {
+        GotoIf(SmiNotEqual(LoadJSArrayLength(a()), to_.value()), &runtime);
        kind = EnsureArrayPushable(a(), &runtime);
        GotoIf(IsElementsKindGreaterThan(kind, HOLEY_SMI_ELEMENTS),
               &object_push_pre);

--- a/test/mjsunit/regress/regress-6657.js
+++ b/test/mjsunit/regress/regress-6657.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function TestArrayNonEmptySpecies() {
+  class MyArray extends Array {
+    constructor() { return [1, 2, 3]; }
+  }
+  var a = [5, 4];
+  a.__proto__ = MyArray.prototype;
+  var o = a.filter(() => true);
+  assertEquals([5, 4, 3], o);
+  assertEquals(3, o.length);
+})();
+
+(function TestArrayLeakingSpeciesInsertInCallback() {
+  var my_array = [];
+  class MyArray extends Array {
+    constructor() { return my_array; }
+  }
+  var a = [5, 4];
+  a.__proto__ = MyArray.prototype;
+  var o = a.filter(() => (my_array[2] = 3, true));
+  assertEquals([5, 4, 3], o);
+  assertEquals(3, o.length);
+})();
+
+(function TestArrayLeakingSpeciesRemoveInCallback() {
+  var my_array = [];
+  class MyArray extends Array {
+    constructor() { return my_array; }
+  }
+  var a = [5, 4, 3, 2, 1];
+  a.__proto__ = MyArray.prototype;
+  var o = a.filter(() => (my_array.length = 0, true));
+  assertEquals([,,,,1], o);
+  assertEquals(5, o.length);
+})();