fd334b3216
Before, splice was implemented with a C++ fast path and a comprehensive JavaScript version. This impl. is entirely in Torque with a fastpath for SMI, DOUBLE and OBJECT arrays, and a comprehensive slow path. The same level of "sparse" array support as given by the array.js implementation is included. This reland addresses several issues: * Removed "sparse" array support from splice. * Addressed ClusterFuzz issue 876443: The test and code that uses the fix is in this CL. The fix in isolation can be seen here: https://chromium-review.googlesource.com/c/v8/v8/+/1199403 * Removed dead code in elements.cc BUG=chromium:876443, v8:8131, v8:1956, v8:7221 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1 Reviewed-on: https://chromium-review.googlesource.com/1201783 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55610}
10 lines
239 B
JavaScript
10 lines
239 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags:
|
|
|
|
var a = [5.65];
|
|
a.splice(0);
|
|
var b = a.splice(-4, 9, 10);
|