Array.concat: properly go to dictionary mode when required

BUG=chromium:387031
LOG=y
R=danno@chromium.org

Review URL: https://codereview.chromium.org/342333002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21903 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
jkummerow@chromium.org 2014-06-20 15:40:21 +00:00
parent b7d18d0eff
commit 1d35d6d871
2 changed files with 25 additions and 2 deletions

View File

@ -10040,7 +10040,7 @@ class ArrayConcatVisitor {
// getters on the arrays increasing the length of later arrays
// during iteration.
// This shouldn't happen in anything but pathological cases.
SetDictionaryMode(index);
SetDictionaryMode();
// Fall-through to dictionary mode.
}
ASSERT(!fast_elements_);
@ -10061,6 +10061,14 @@ class ArrayConcatVisitor {
} else {
index_offset_ += delta;
}
// If the initial length estimate was off (see special case in visit()),
// but the array blowing the limit didn't contain elements beyond the
// provided-for index range, go to dictionary mode now.
if (fast_elements_ &&
index_offset_ >= static_cast<uint32_t>(
FixedArrayBase::cast(*storage_)->length())) {
SetDictionaryMode();
}
}
bool exceeds_array_limit() {
@ -10082,7 +10090,7 @@ class ArrayConcatVisitor {
private:
// Convert storage to dictionary mode.
void SetDictionaryMode(uint32_t index) {
void SetDictionaryMode() {
ASSERT(fast_elements_);
Handle<FixedArray> current_storage(*storage_);
Handle<SeededNumberDictionary> slow_storage(

View File

@ -0,0 +1,15 @@
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
a = [1];
b = [];
a.__defineGetter__(0, function () {
b.length = 0xffffffff;
});
c = a.concat(b);
for (var i = 0; i < 20; i++) {
assertEquals(undefined, (c[i]));
}