fd334b3216
Before, splice was implemented with a C++ fast path and a comprehensive JavaScript version. This impl. is entirely in Torque with a fastpath for SMI, DOUBLE and OBJECT arrays, and a comprehensive slow path. The same level of "sparse" array support as given by the array.js implementation is included. This reland addresses several issues: * Removed "sparse" array support from splice. * Addressed ClusterFuzz issue 876443: The test and code that uses the fix is in this CL. The fix in isolation can be seen here: https://chromium-review.googlesource.com/c/v8/v8/+/1199403 * Removed dead code in elements.cc BUG=chromium:876443, v8:8131, v8:1956, v8:7221 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1 Reviewed-on: https://chromium-review.googlesource.com/1201783 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55610} |
||
|---|---|---|
| .. | ||
| BUILD.gn | ||
| mozilla-shell-emulation.js | ||
| mozilla.status | ||
| testcfg.py | ||