Commit f0ceb9f2 authored by Daniel Clifford's avatar Daniel Clifford Committed by Commit Bot

Fix bug in length handling of Array.prototype.slice fast-path

Bug: chromium:785804
Change-Id: I1a65e2007438ac009d961e0e2c0425212216fcf1
Reviewed-on: https://chromium-review.googlesource.com/776696Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49481}
parent f787bee6
......@@ -1109,6 +1109,11 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
Node* elements_kind = LoadMapElementsKind(map);
GotoIfNot(IsFastElementsKind(elements_kind), &try_simple_slice);
// Make sure that the length hasn't been changed by side-effect.
Node* array_length = LoadJSArrayLength(array);
GotoIf(TaggedIsNotSmi(array_length), slow);
GotoIf(SmiAbove(SmiAdd(from, count), array_length), slow);
CSA_ASSERT(this, SmiGreaterThanOrEqual(from, SmiConstant(0)));
result.Bind(CallStub(CodeFactory::ExtractFastJSArray(isolate()), context,
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let __v_25059 = {
valueOf: function () {
let __v_25062 = __v_25055.length;
__v_25055.length = 1;
return __v_25062;
}
};
let __v_25060 = [];
for (let __v_25063 = 0; __v_25063 < 1500; __v_25063++) {
__v_25060.push("" + 0.1);
}
for (let __v_25064 = 0; __v_25064 < 75; __v_25064++) {
__v_25055 = __v_25060.slice();
__v_25056 = __v_25055.slice(0, __v_25059);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment