Commit c6f9883d authored by verwaest's avatar verwaest Committed by Commit bot

Remove oob elements collected from the prototype chain by trimming in GetArrayKeys

BUG=chromium:594953
LOG=n

Review URL: https://codereview.chromium.org/1817443003

Cr-Commit-Position: refs/heads/master@{#34893}
parent b3bda50d
...@@ -272,12 +272,10 @@ function SparseSlice(array, start_i, del_count, len, deleted_elements) { ...@@ -272,12 +272,10 @@ function SparseSlice(array, start_i, del_count, len, deleted_elements) {
var length = indices.length; var length = indices.length;
for (var k = 0; k < length; ++k) { for (var k = 0; k < length; ++k) {
var key = indices[k]; var key = indices[k];
if (!IS_UNDEFINED(key)) { if (key >= start_i) {
if (key >= start_i) { var current = array[key];
var current = array[key]; if (!IS_UNDEFINED(current) || key in array) {
if (!IS_UNDEFINED(current) || key in array) { DefineIndexedProperty(deleted_elements, key - start_i, current);
DefineIndexedProperty(deleted_elements, key - start_i, current);
}
} }
} }
} }
...@@ -314,21 +312,19 @@ function SparseMove(array, start_i, del_count, len, num_additional_args) { ...@@ -314,21 +312,19 @@ function SparseMove(array, start_i, del_count, len, num_additional_args) {
var length = indices.length; var length = indices.length;
for (var k = 0; k < length; ++k) { for (var k = 0; k < length; ++k) {
var key = indices[k]; var key = indices[k];
if (!IS_UNDEFINED(key)) { if (key < start_i) {
if (key < start_i) { var current = array[key];
var current = array[key]; if (!IS_UNDEFINED(current) || key in array) {
if (!IS_UNDEFINED(current) || key in array) { new_array[key] = current;
new_array[key] = current; }
} } else if (key >= start_i + del_count) {
} else if (key >= start_i + del_count) { var current = array[key];
var current = array[key]; if (!IS_UNDEFINED(current) || key in array) {
if (!IS_UNDEFINED(current) || key in array) { var new_key = key - del_count + num_additional_args;
var new_key = key - del_count + num_additional_args; new_array[new_key] = current;
new_array[new_key] = current; if (new_key > 0xfffffffe) {
if (new_key > 0xfffffffe) { big_indices = big_indices || new InternalArray();
big_indices = big_indices || new InternalArray(); big_indices.push(new_key);
big_indices.push(new_key);
}
} }
} }
} }
...@@ -1066,8 +1062,7 @@ function InnerArraySort(array, length, comparefn) { ...@@ -1066,8 +1062,7 @@ function InnerArraySort(array, length, comparefn) {
} else { } else {
for (var i = 0; i < indices.length; i++) { for (var i = 0; i < indices.length; i++) {
var index = indices[i]; var index = indices[i];
if (!IS_UNDEFINED(index) && !HAS_OWN_PROPERTY(obj, index) if (!HAS_OWN_PROPERTY(obj, index) && HAS_OWN_PROPERTY(proto, index)) {
&& HAS_OWN_PROPERTY(proto, index)) {
obj[index] = proto[index]; obj[index] = proto[index];
if (index >= max) { max = index + 1; } if (index >= max) { max = index + 1; }
} }
...@@ -1094,8 +1089,7 @@ function InnerArraySort(array, length, comparefn) { ...@@ -1094,8 +1089,7 @@ function InnerArraySort(array, length, comparefn) {
} else { } else {
for (var i = 0; i < indices.length; i++) { for (var i = 0; i < indices.length; i++) {
var index = indices[i]; var index = indices[i];
if (!IS_UNDEFINED(index) && from <= index && if (from <= index && HAS_OWN_PROPERTY(proto, index)) {
HAS_OWN_PROPERTY(proto, index)) {
obj[index] = UNDEFINED; obj[index] = UNDEFINED;
} }
} }
...@@ -1379,7 +1373,7 @@ function InnerArrayIndexOf(array, element, index, length) { ...@@ -1379,7 +1373,7 @@ function InnerArrayIndexOf(array, element, index, length) {
while (i < n && sortedKeys[i] < index) i++; while (i < n && sortedKeys[i] < index) i++;
while (i < n) { while (i < n) {
var key = sortedKeys[i]; var key = sortedKeys[i];
if (!IS_UNDEFINED(key) && array[key] === element) return key; if (array[key] === element) return key;
i++; i++;
} }
return -1; return -1;
...@@ -1438,7 +1432,7 @@ function InnerArrayLastIndexOf(array, element, index, length, argumentsLength) { ...@@ -1438,7 +1432,7 @@ function InnerArrayLastIndexOf(array, element, index, length, argumentsLength) {
var i = sortedKeys.length - 1; var i = sortedKeys.length - 1;
while (i >= 0) { while (i >= 0) {
var key = sortedKeys[i]; var key = sortedKeys[i];
if (!IS_UNDEFINED(key) && array[key] === element) return key; if (array[key] === element) return key;
i--; i--;
} }
return -1; return -1;
......
...@@ -211,12 +211,19 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) { ...@@ -211,12 +211,19 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
JSObject::CollectOwnElementKeys(current, &accumulator, ALL_PROPERTIES); JSObject::CollectOwnElementKeys(current, &accumulator, ALL_PROPERTIES);
} }
// Erase any keys >= length. // Erase any keys >= length.
// TODO(adamk): Remove this step when the contract of %GetArrayKeys
// is changed to let this happen on the JS side.
Handle<FixedArray> keys = accumulator.GetKeys(KEEP_NUMBERS); Handle<FixedArray> keys = accumulator.GetKeys(KEEP_NUMBERS);
int j = 0;
for (int i = 0; i < keys->length(); i++) { for (int i = 0; i < keys->length(); i++) {
if (NumberToUint32(keys->get(i)) >= length) keys->set_undefined(i); if (NumberToUint32(keys->get(i)) >= length) continue;
if (i != j) keys->set(j, keys->get(i));
j++;
} }
if (j != keys->length()) {
isolate->heap()->RightTrimFixedArray<Heap::CONCURRENT_TO_SWEEPER>(
*keys, keys->length() - j);
}
return *isolate->factory()->NewJSArrayWithElements(keys); return *isolate->factory()->NewJSArrayWithElements(keys);
} }
......
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Array.prototype[10000000] = 1;
Array(1000).join();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment