Fix bug in length handling of Array.prototype.slice fast-path
Bug: chromium:785804 Change-Id: I1a65e2007438ac009d961e0e2c0425212216fcf1 Reviewed-on: https://chromium-review.googlesource.com/776696 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#49481}
This commit is contained in:
parent
f787bee6b6
commit
f0ceb9f277
@ -1109,6 +1109,11 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
|
||||
Node* elements_kind = LoadMapElementsKind(map);
|
||||
GotoIfNot(IsFastElementsKind(elements_kind), &try_simple_slice);
|
||||
|
||||
// Make sure that the length hasn't been changed by side-effect.
|
||||
Node* array_length = LoadJSArrayLength(array);
|
||||
GotoIf(TaggedIsNotSmi(array_length), slow);
|
||||
GotoIf(SmiAbove(SmiAdd(from, count), array_length), slow);
|
||||
|
||||
CSA_ASSERT(this, SmiGreaterThanOrEqual(from, SmiConstant(0)));
|
||||
|
||||
result.Bind(CallStub(CodeFactory::ExtractFastJSArray(isolate()), context,
|
||||
|
19
test/mjsunit/regress/regress-785804.js
Normal file
19
test/mjsunit/regress/regress-785804.js
Normal file
@ -0,0 +1,19 @@
|
||||
// Copyright 2017 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
let __v_25059 = {
|
||||
valueOf: function () {
|
||||
let __v_25062 = __v_25055.length;
|
||||
__v_25055.length = 1;
|
||||
return __v_25062;
|
||||
}
|
||||
};
|
||||
let __v_25060 = [];
|
||||
for (let __v_25063 = 0; __v_25063 < 1500; __v_25063++) {
|
||||
__v_25060.push("" + 0.1);
|
||||
}
|
||||
for (let __v_25064 = 0; __v_25064 < 75; __v_25064++) {
|
||||
__v_25055 = __v_25060.slice();
|
||||
__v_25056 = __v_25055.slice(0, __v_25059);
|
||||
}
|
Loading…
Reference in New Issue
Block a user