JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Apr 2017 05:55:41 +0000 (05:55 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Apr 2017 05:55:41 +0000 (05:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=170896
<rdar://problem/31651319>

Reviewed by JF Bastien and Keith Miller.

JSTests:

* stress/regress-170896.js: Added.

Source/JavaScriptCore:

* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215451 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-170896.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp

index cc2aec8..f9c4581 100644 (file)
@@ -1,3 +1,13 @@
+2017-04-17  Mark Lam  <mark.lam@apple.com>
+
+        JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
+        https://bugs.webkit.org/show_bug.cgi?id=170896
+        <rdar://problem/31651319>
+
+        Reviewed by JF Bastien and Keith Miller.
+
+        * stress/regress-170896.js: Added.
+
 2017-04-16  Joseph Pecoraro  <pecoraro@apple.com>
 
         test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js
diff --git a/JSTests/stress/regress-170896.js b/JSTests/stress/regress-170896.js
new file mode 100644 (file)
index 0000000..6d19027
--- /dev/null
@@ -0,0 +1,13 @@
+function test() {
+    let a = [,,,,,,,,,];
+    return a.concat();
+}
+noInline(test);
+
+test()[0] = {};
+
+for (let i = 0; i < 20000; ++i) {
+    var result = test();
+    if (result[0])
+        throw result.toString();
+}
index 8f29464..114ec63 100644 (file)
@@ -1,3 +1,14 @@
+2017-04-17  Mark Lam  <mark.lam@apple.com>
+
+        JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
+        https://bugs.webkit.org/show_bug.cgi?id=170896
+        <rdar://problem/31651319>
+
+        Reviewed by JF Bastien and Keith Miller.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+
 2017-04-17  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Doesn't show size of compressed content correctly
index f6d7ade..7d25267 100644 (file)
@@ -483,7 +483,8 @@ bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JS
         return false;
 
     IndexingType type = indexingType();
-    IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
+    IndexingType otherType = otherArray->indexingType();
+    IndexingType copyType = mergeIndexingTypeForCopying(otherType);
     if (type == ArrayWithUndecided && copyType != NonArray) {
         if (copyType == ArrayWithInt32)
             convertUndecidedToInt32(vm);
@@ -517,7 +518,16 @@ bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JS
     }
     ASSERT(copyType == indexingType());
 
-    if (type == ArrayWithDouble)
+    if (UNLIKELY(otherType == ArrayWithUndecided)) {
+        auto* butterfly = this->butterfly();
+        if (type == ArrayWithDouble) {
+            for (unsigned i = startIndex; i < newLength; ++i)
+                butterfly->contiguousDouble()[i] = PNaN;
+        } else {
+            for (unsigned i = startIndex; i < newLength; ++i)
+                butterfly->contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
+        }
+    } else if (type == ArrayWithDouble)
         memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
     else
         memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);