b329b24986
This fixes a missing fast-path check in the code-stub implementation of
the {Array.prototype.filter} method. Appending to the target JSArray is
only correct if the underlying length did not change.
R=jgruber@chromium.org
TEST=mjsunit/regress/regress-6657
BUG=v8:6657
Change-Id: Ida8d3511485b649b70d9a4b161742d494ebe4dac
Reviewed-on: https://chromium-review.googlesource.com/600467
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47156}
39 lines
1.1 KiB
JavaScript
39 lines
1.1 KiB
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
(function TestArrayNonEmptySpecies() {
|
|
class MyArray extends Array {
|
|
constructor() { return [1, 2, 3]; }
|
|
}
|
|
var a = [5, 4];
|
|
a.__proto__ = MyArray.prototype;
|
|
var o = a.filter(() => true);
|
|
assertEquals([5, 4, 3], o);
|
|
assertEquals(3, o.length);
|
|
})();
|
|
|
|
(function TestArrayLeakingSpeciesInsertInCallback() {
|
|
var my_array = [];
|
|
class MyArray extends Array {
|
|
constructor() { return my_array; }
|
|
}
|
|
var a = [5, 4];
|
|
a.__proto__ = MyArray.prototype;
|
|
var o = a.filter(() => (my_array[2] = 3, true));
|
|
assertEquals([5, 4, 3], o);
|
|
assertEquals(3, o.length);
|
|
})();
|
|
|
|
(function TestArrayLeakingSpeciesRemoveInCallback() {
|
|
var my_array = [];
|
|
class MyArray extends Array {
|
|
constructor() { return my_array; }
|
|
}
|
|
var a = [5, 4, 3, 2, 1];
|
|
a.__proto__ = MyArray.prototype;
|
|
var o = a.filter(() => (my_array.length = 0, true));
|
|
assertEquals([,,,,1], o);
|
|
assertEquals(5, o.length);
|
|
})();
|