61bb129f37
In ArrayBuiltinsAssembler::VisitAllFastElementsOneKind(), we enumerate an arrays elements, carefully checking for the "hole" when required. This code is only called for arrays whose prototype is the initial array prototype. And the path is only available when the initial array prototype is free of elements. Since that's the case, we only need to verify that the initial array prototype remains free of elements during an iteration with javascript callbacks. We don't need a body of code that can walk the prototype chain looking for elements visible through the "hole" value. In practice, this code was never run. Change-Id: Iba5e275c559d495aa1cf6a4f29d66e2ce475c981 Reviewed-on: https://chromium-review.googlesource.com/1015023 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#52660}
27 lines
728 B
JavaScript
27 lines
728 B
JavaScript
// Copyright 2015 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
(()=>{
|
|
var a = [0,1,2,,,,7];
|
|
var proto = {}
|
|
a.__proto__ = proto;
|
|
var visits = 0;
|
|
Array.prototype.forEach.call(a, (v,i,o) => { ++visits; proto[4] = 4; });
|
|
assertEquals(5, visits);
|
|
})();
|
|
|
|
// We have a fast path for arrays with the initial array prototype.
|
|
// If elements are inserted into the initial array prototype as we traverse
|
|
// a holey array, we should gracefully exit the fast path.
|
|
(()=>{
|
|
let a = [1, 2, 3,,,, 7];
|
|
function poison(v, i) {
|
|
if (i === 2) {
|
|
[].__proto__[4] = 3;
|
|
}
|
|
return v*v;
|
|
}
|
|
a.forEach(poison);
|
|
})();
|