shiftCountWithArrayStorage should exit to slow path if the object has a sparse map.
authormmirman@apple.com <mmirman@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Dec 2014 23:46:13 +0000 (23:46 +0000)
committermmirman@apple.com <mmirman@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Dec 2014 23:46:13 +0000 (23:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=139598
<rdar://problem/18779367>

Reviewed by Filip Pizlo.

* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map.
* tests/stress/sparse_splice.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@177245 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/tests/stress/sparse_splice.js [new file with mode: 0644]

index f0adeb1..eda7f07 100644 (file)
@@ -1,3 +1,15 @@
+2014-12-12  Matthew Mirman  <mmirman@apple.com>
+
+        shiftCountWithArrayStorage should exit to slow path if the object has a sparse map.
+        https://bugs.webkit.org/show_bug.cgi?id=139598
+        <rdar://problem/18779367>
+
+        Reviewed by Filip Pizlo.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map.
+        * tests/stress/sparse_splice.js: Added.
+
 2014-12-12  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
 
         Final clean up OwnPtr in JSC - runtime, ftl, and tool directories
index 16effe6..517721e 100644 (file)
@@ -675,7 +675,7 @@ bool JSArray::shiftCountWithArrayStorage(VM& vm, unsigned startIndex, unsigned c
     // If the array contains holes or is otherwise in an abnormal state,
     // use the generic algorithm in ArrayPrototype.
     if ((storage->hasHoles() && this->structure(vm)->holesMustForwardToPrototype(vm)) 
-        || inSparseIndexingMode() 
+        || hasSparseMap() 
         || shouldUseSlowPut(indexingType())) {
         return false;
     }
diff --git a/Source/JavaScriptCore/tests/stress/sparse_splice.js b/Source/JavaScriptCore/tests/stress/sparse_splice.js
new file mode 100644 (file)
index 0000000..6565dd4
--- /dev/null
@@ -0,0 +1,12 @@
+var myArray = Array();
+myArray[ 10000 ] = "a";
+myArray[ 10001 ] = "b";
+myArray[ 10002 ] = "c";
+
+// remove element at index 1001
+myArray.splice( 10001, 1 );
+
+if (myArray[10000] != "a")
+    throw "Splicing Error! start index changed";
+if (myArray[10001] != "c")
+    throw "Splicing Error! removed element not removed";