b87e762324
This CL changes Array.p.fill to use the baseline implementation for everything other than JSArray. One of the reasons is that shadowing the length property on TypedArrays (and other ElementsKinds) is allowed and should be respected by Array.p.fill. The fast-path for fill for TypedArrays expects the indices to be clamped to the actual length of the underlying backing store and not to some length property. While this mismatch (and others) could probably be handled properly, we do the conservative thing and only use the fast-path for specific JSArrays. R=jgruber@chromium.org Bug: chromium:865312 Change-Id: Ib3050e3bfc22d47ca8597b6df34788dc2b59b6e1 Reviewed-on: https://chromium-review.googlesource.com/1142772 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Simon Zünd <szuend@google.com> Cr-Commit-Position: refs/heads/master@{#54558}
35 lines
896 B
JavaScript
35 lines
896 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
const intArrayConstructors = [
|
|
Uint8Array,
|
|
Int8Array,
|
|
Uint16Array,
|
|
Int16Array,
|
|
Uint32Array,
|
|
Int32Array,
|
|
Uint8ClampedArray
|
|
];
|
|
|
|
const floatArrayConstructors = [
|
|
Float32Array,
|
|
Float64Array
|
|
];
|
|
|
|
const typedArrayConstructors = [...intArrayConstructors,
|
|
...floatArrayConstructors];
|
|
|
|
for (let constructor of typedArrayConstructors) {
|
|
// Shadowing the length of a TypedArray should work for Array.p.fill,
|
|
// but not crash it.
|
|
let array = new constructor([2, 2]);
|
|
assertEquals(2, array.length);
|
|
|
|
Object.defineProperty(array, 'length', {value: 5});
|
|
Array.prototype.fill.call(array, 5);
|
|
|
|
assertArrayEquals([5, 5], [array[0], array[1]]);
|
|
assertEquals(undefined, array[2]);
|
|
}
|