Fix Array.filter to use internal array for result.

In built-in code we use arrays for internal computations. This makes it possible to affect the built-in code by putting getters or setters on the array prototype chain. Using internal arrays prevents those issues. Related to: http://code.google.com/p/v8/source/detail?r=7040 R=svenpanne@chromium.org TEST=test262/15.4.4.20-9-b-6 Review URL: http://codereview.chromium.org/8353006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9707 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-10-19 13:44:29 +00:00 · 2011-10-19 13:44:29 +00:00 · 6742176949
commit 6742176949
parent aaf3454248
2 changed files with 5 additions and 18 deletions
--- a/src/array.js
+++ b/src/array.js
@ -1017,16 +1017,18 @@ function ArrayFilter(f, receiver) {
    receiver = ToObject(receiver);
  }

-  var result = [];
-  var result_length = 0;
+  var result = new $Array();
+  var accumulator = new InternalArray();
+  var accumulator_length = 0;
  for (var i = 0; i < length; i++) {
    var current = array[i];
    if (!IS_UNDEFINED(current) || i in array) {
      if (%_CallFunction(receiver, current, i, array, f)) {
-        result[result_length++] = current;
+        accumulator[accumulator_length++] = current;
      }
    }
  }
+  %MoveArrayContents(accumulator, result);
  return result;
 }

--- a/test/test262/test262.status
+++ b/test/test262/test262.status
@ -475,24 +475,9 @@ S15.4.4.3_A2_T1: FAIL_OK
 # Bug? Array.prototype.map - decreasing length of array does not delete
 #      non-configurable properties
 15.4.4.19-8-b-16: FAIL
-# Bug? Array.prototype.filter - properties can be added to prototype after
-#      current position are visited on an Array-like object
-15.4.4.20-9-b-6: FAIL
 # Bug? Array.prototype.filter - decreasing length of array does not delete
 #      non-configurable properties
 15.4.4.20-9-b-16: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is own data property
-#      that overrides an inherited accessor property on an Array
-15.4.4.20-9-c-i-6: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is own accessor property
-#      that overrides an inherited accessor property on an Array
-15.4.4.20-9-c-i-14: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is inherited accessor
-#      property on an Array
-15.4.4.20-9-c-i-16: FAIL
-# Bug? Array.prototype.filter - element to be retrieved is inherited accessor
-#      property without a get function on an Array
-15.4.4.20-9-c-i-22: FAIL
 # Bug? Array.prototype.reduce - decreasing length of array in step 8 does not
 #      delete non-configurable properties
 15.4.4.21-9-b-16: FAIL