AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[typedarray] Use slow case more aggressively in CopyElementsHandleImpl

Browse Source 
Change-Id: If133fe47a086ed273446ee7e8f8af85bf9fc8389
Reviewed-on: https://chromium-review.googlesource.com/1108203
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53921}
This commit is contained in:
Peter Marshall 2018-06-21 13:30:15 +02:00 committed by Commit Bot
parent b8cf9627b9
commit bededee46e
3 changed files with 36 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/elements.cc
View File

@ -3408,6 +3408,16 @@ class TypedElementsAccessor
DisallowHeapAllocation no_gc;
DisallowJavascriptExecution no_js(isolate);
size_t current_length;
DCHECK(source->length()->IsNumber() &&
TryNumberToSize(source->length(), &current_length) &&
length <= current_length);
USE(current_length);
size_t dest_length = destination->length_value();
DCHECK(length + offset <= dest_length);
USE(dest_length);
ElementsKind kind = source->GetElementsKind();
BackingStore* dest = BackingStore::cast(destination->elements());
@ -3553,10 +3563,17 @@ class TypedElementsAccessor
// Fast cases for packed numbers kinds where we don't need to allocate.
if (source->IsJSArray()) {
Handle<JSArray> source_array = Handle<JSArray>::cast(source);
if (TryCopyElementsFastNumber(isolate->context(), *source_array,
*destination_ta, length, offset)) {
return *isolate->factory()->undefined_value();
Handle<JSArray> source_js_array = Handle<JSArray>::cast(source);
size_t current_length;
if (source_js_array->length()->IsNumber() &&
TryNumberToSize(source_js_array->length(), &current_length)) {
if (length <= current_length) {
Handle<JSArray> source_array = Handle<JSArray>::cast(source);
if (TryCopyElementsFastNumber(isolate->context(), *source_array,
*destination_ta, length, offset)) {
return *isolate->factory()->undefined_value();
}
}
}
}
// Final generic case that handles prototype chain lookups, getters, proxies

14
test/mjsunit/regress/regress-854066-2.js Normal file
View File

@ -0,0 +1,14 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
oobArray = [];
delete oobArray.__proto__[Symbol.iterator];
for (let i = 0; i < 1e5; ++i) {
oobArray[i] = 1.1;
}
floatArray = new Float64Array(oobArray.length);
Float64Array.from.call(function(length) {
oobArray.length = 0;
return floatArray;
}, oobArray);

2
test/mjsunit/regress/regress-854066.js
View File

@ -3,7 +3,7 @@
// found in the LICENSE file.
oobArray = [];
for (let i = 0; i < 1024 * 1024; ++i) {
for (let i = 0; i < 1e5; ++i) {
oobArray[i] = 1.1;
}
floatArray = new Float64Array(oobArray.length);