AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Use intrinsics for builtin ArrayBuffer property accesses

Browse Source 
BUG=chromium:351787
LOG=y
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/197793003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19862 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
jkummerow@chromium.org 2014-03-12 19:25:40 +00:00
parent df5ac19412
commit f9ee4f19b4
4 changed files with 54 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/arraybuffer.js
View File

@ -57,17 +57,18 @@ function ArrayBufferSlice(start, end) {
var relativeStart = TO_INTEGER(start);
var first;
var byte_length = %ArrayBufferGetByteLength(this);
if (relativeStart < 0) {
first = MathMax(this.byteLength + relativeStart, 0);
first = MathMax(byte_length + relativeStart, 0);
} else {
first = MathMin(relativeStart, this.byteLength);
first = MathMin(relativeStart, byte_length);
}
var relativeEnd = IS_UNDEFINED(end) ? this.byteLength : TO_INTEGER(end);
var relativeEnd = IS_UNDEFINED(end) ? byte_length : TO_INTEGER(end);
var fin;
if (relativeEnd < 0) {
fin = MathMax(this.byteLength + relativeEnd, 0);
fin = MathMax(byte_length + relativeEnd, 0);
} else {
fin = MathMin(relativeEnd, this.byteLength);
fin = MathMin(relativeEnd, byte_length);
}
if (fin < first) {

4
src/runtime.cc
View File

@ -952,6 +952,10 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_TypedArrayInitializeFromArrayLike) {
Runtime::ArrayIdToTypeAndSize(arrayId, &array_type, &element_size);
Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
if (source->IsJSTypedArray() &&
JSTypedArray::cast(*source)->type() == array_type) {
length_obj = Handle<Object>(JSTypedArray::cast(*source)->length(), isolate);
}
size_t length = NumberToSize(isolate, *length_obj);
if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||

4
src/typedarray.js
View File

@ -49,7 +49,7 @@ endmacro
macro TYPED_ARRAY_CONSTRUCTOR(ARRAY_ID, NAME, ELEMENT_SIZE)
function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
var bufferByteLength = buffer.byteLength;
var bufferByteLength = %ArrayBufferGetByteLength(buffer);
var offset;
if (IS_UNDEFINED(byteOffset)) {
offset = 0;
@ -317,7 +317,7 @@ function DataViewConstructor(buffer, byteOffset, byteLength) { // length = 3
if (!IS_ARRAYBUFFER(buffer)) {
throw MakeTypeError('data_view_not_array_buffer', []);
}
var bufferByteLength = buffer.byteLength;
var bufferByteLength = %ArrayBufferGetByteLength(buffer);
var offset = IS_UNDEFINED(byteOffset) ?
0 : ToPositiveInteger(byteOffset, 'invalid_data_view_offset');
if (offset > bufferByteLength) {

42
test/mjsunit/regress/regress-crbug-351787.js Normal file
View File

@ -0,0 +1,42 @@
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var ab1 = new ArrayBuffer(8);
ab1.__defineGetter__("byteLength", function() { return 1000000; });
var ab2 = ab1.slice(800000, 900000);
var array = new Uint8Array(ab2);
for (var i = 0; i < array.length; i++) {
assertEquals(0, array[i]);
}
assertEquals(0, array.length);
var ab3 = new ArrayBuffer(8);
ab3.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
var aaa = new DataView(ab3);
for (var i = 10; i < aaa.length; i++) {
aaa.setInt8(i, 0xcc);
}
assertEquals(8, aaa.byteLength);
var a = new Int8Array(4);
a.__defineGetter__("length", function() { return 0xFFFF; });
var b = new Int8Array(a);
for (var i = 0; i < b.length; i++) {
assertEquals(0, b[i]);
}
var ab4 = new ArrayBuffer(8);
ab4.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
var aaaa = new Uint32Array(ab4);
for (var i = 10; i < aaaa.length; i++) {
aaaa[i] = 0xcccccccc;
}
assertEquals(2, aaaa.length);