| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Redistribution and use in source and binary forms, with or without | 2 // Redistribution and use in source and binary forms, with or without |
| 3 // modification, are permitted provided that the following conditions are | 3 // modification, are permitted provided that the following conditions are |
| 4 // met: | 4 // met: |
| 5 // | 5 // |
| 6 // * Redistributions of source code must retain the above copyright | 6 // * Redistributions of source code must retain the above copyright |
| 7 // notice, this list of conditions and the following disclaimer. | 7 // notice, this list of conditions and the following disclaimer. |
| 8 // * Redistributions in binary form must reproduce the above | 8 // * Redistributions in binary form must reproduce the above |
| 9 // copyright notice, this list of conditions and the following | 9 // copyright notice, this list of conditions and the following |
| 10 // disclaimer in the documentation and/or other materials provided | 10 // disclaimer in the documentation and/or other materials provided |
| (...skipping 8665 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8676 | 8676 |
| 8677 { MaybeObject* maybe_obj = | 8677 { MaybeObject* maybe_obj = |
| 8678 GetElementsTransitionMap(heap->isolate(), FAST_DOUBLE_ELEMENTS); | 8678 GetElementsTransitionMap(heap->isolate(), FAST_DOUBLE_ELEMENTS); |
| 8679 if (!maybe_obj->ToObject(&obj)) return maybe_obj; | 8679 if (!maybe_obj->ToObject(&obj)) return maybe_obj; |
| 8680 } | 8680 } |
| 8681 Map* new_map = Map::cast(obj); | 8681 Map* new_map = Map::cast(obj); |
| 8682 | 8682 |
| 8683 FixedArrayBase* old_elements = elements(); | 8683 FixedArrayBase* old_elements = elements(); |
| 8684 ElementsKind elements_kind(GetElementsKind()); | 8684 ElementsKind elements_kind(GetElementsKind()); |
| 8685 AssertNoAllocation no_gc; | 8685 AssertNoAllocation no_gc; |
| 8686 switch (elements_kind) { | 8686 if (old_elements->length() != 0) { |
| 8687 case FAST_SMI_ONLY_ELEMENTS: | 8687 switch (elements_kind) { |
| 8688 case FAST_ELEMENTS: { | 8688 case FAST_SMI_ONLY_ELEMENTS: |
| 8689 elems->Initialize(FixedArray::cast(old_elements)); | 8689 case FAST_ELEMENTS: { |
| 8690 break; | 8690 elems->Initialize(FixedArray::cast(old_elements)); |
| 8691 break; |
| 8692 } |
| 8693 case FAST_DOUBLE_ELEMENTS: { |
| 8694 elems->Initialize(FixedDoubleArray::cast(old_elements)); |
| 8695 break; |
| 8696 } |
| 8697 case DICTIONARY_ELEMENTS: { |
| 8698 elems->Initialize(SeededNumberDictionary::cast(old_elements)); |
| 8699 break; |
| 8700 } |
| 8701 default: |
| 8702 UNREACHABLE(); |
| 8703 break; |
| 8691 } | 8704 } |
| 8692 case FAST_DOUBLE_ELEMENTS: { | |
| 8693 elems->Initialize(FixedDoubleArray::cast(old_elements)); | |
| 8694 break; | |
| 8695 } | |
| 8696 case DICTIONARY_ELEMENTS: { | |
| 8697 elems->Initialize(SeededNumberDictionary::cast(old_elements)); | |
| 8698 break; | |
| 8699 } | |
| 8700 default: | |
| 8701 UNREACHABLE(); | |
| 8702 break; | |
| 8703 } | 8705 } |
| 8704 | 8706 |
| 8705 if (FLAG_trace_elements_transitions) { | 8707 if (FLAG_trace_elements_transitions) { |
| 8706 PrintElementsTransition(stdout, elements_kind, old_elements, | 8708 PrintElementsTransition(stdout, elements_kind, old_elements, |
| 8707 FAST_DOUBLE_ELEMENTS, elems); | 8709 FAST_DOUBLE_ELEMENTS, elems); |
| 8708 } | 8710 } |
| 8709 | 8711 |
| 8710 ASSERT(new_map->has_fast_double_elements()); | 8712 ASSERT(new_map->has_fast_double_elements()); |
| 8711 set_map(new_map); | 8713 set_map(new_map); |
| 8712 ASSERT(elems->IsFixedDoubleArray()); | 8714 ASSERT(elems->IsFixedDoubleArray()); |
| (...skipping 923 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 9636 } | 9638 } |
| 9637 | 9639 |
| 9638 | 9640 |
| 9639 MUST_USE_RESULT MaybeObject* JSObject::SetFastDoubleElement( | 9641 MUST_USE_RESULT MaybeObject* JSObject::SetFastDoubleElement( |
| 9640 uint32_t index, | 9642 uint32_t index, |
| 9641 Object* value, | 9643 Object* value, |
| 9642 StrictModeFlag strict_mode, | 9644 StrictModeFlag strict_mode, |
| 9643 bool check_prototype) { | 9645 bool check_prototype) { |
| 9644 ASSERT(HasFastDoubleElements()); | 9646 ASSERT(HasFastDoubleElements()); |
| 9645 | 9647 |
| 9646 FixedDoubleArray* elms = FixedDoubleArray::cast(elements()); | 9648 FixedArrayBase* base_elms = FixedArrayBase::cast(elements()); |
| 9647 uint32_t elms_length = static_cast<uint32_t>(elms->length()); | 9649 uint32_t elms_length = static_cast<uint32_t>(base_elms->length()); |
| 9648 | 9650 |
| 9649 // If storing to an element that isn't in the array, pass the store request | 9651 // If storing to an element that isn't in the array, pass the store request |
| 9650 // up the prototype chain before storing in the receiver's elements. | 9652 // up the prototype chain before storing in the receiver's elements. |
| 9651 if (check_prototype && | 9653 if (check_prototype && |
| 9652 (index >= elms_length || elms->is_the_hole(index))) { | 9654 (index >= elms_length || |
| 9655 FixedDoubleArray::cast(base_elms)->is_the_hole(index))) { |
| 9653 bool found; | 9656 bool found; |
| 9654 MaybeObject* result = SetElementWithCallbackSetterInPrototypes(index, | 9657 MaybeObject* result = SetElementWithCallbackSetterInPrototypes(index, |
| 9655 value, | 9658 value, |
| 9656 &found, | 9659 &found, |
| 9657 strict_mode); | 9660 strict_mode); |
| 9658 if (found) return result; | 9661 if (found) return result; |
| 9659 } | 9662 } |
| 9660 | 9663 |
| 9661 // If the value object is not a heap number, switch to fast elements and try | 9664 // If the value object is not a heap number, switch to fast elements and try |
| 9662 // again. | 9665 // again. |
| (...skipping 14 matching lines...) Expand all Loading... |
| 9677 strict_mode, | 9680 strict_mode, |
| 9678 check_prototype); | 9681 check_prototype); |
| 9679 } | 9682 } |
| 9680 | 9683 |
| 9681 double double_value = value_is_smi | 9684 double double_value = value_is_smi |
| 9682 ? static_cast<double>(Smi::cast(value)->value()) | 9685 ? static_cast<double>(Smi::cast(value)->value()) |
| 9683 : HeapNumber::cast(value)->value(); | 9686 : HeapNumber::cast(value)->value(); |
| 9684 | 9687 |
| 9685 // Check whether there is extra space in the fixed array. | 9688 // Check whether there is extra space in the fixed array. |
| 9686 if (index < elms_length) { | 9689 if (index < elms_length) { |
| 9690 FixedDoubleArray* elms = FixedDoubleArray::cast(elements()); |
| 9687 elms->set(index, double_value); | 9691 elms->set(index, double_value); |
| 9688 if (IsJSArray()) { | 9692 if (IsJSArray()) { |
| 9689 // Update the length of the array if needed. | 9693 // Update the length of the array if needed. |
| 9690 uint32_t array_length = 0; | 9694 uint32_t array_length = 0; |
| 9691 CHECK(JSArray::cast(this)->length()->ToArrayIndex(&array_length)); | 9695 CHECK(JSArray::cast(this)->length()->ToArrayIndex(&array_length)); |
| 9692 if (index >= array_length) { | 9696 if (index >= array_length) { |
| 9693 JSArray::cast(this)->set_length(Smi::FromInt(index + 1)); | 9697 JSArray::cast(this)->set_length(Smi::FromInt(index + 1)); |
| 9694 } | 9698 } |
| 9695 } | 9699 } |
| 9696 return value; | 9700 return value; |
| (...skipping 3373 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 13070 if (break_point_objects()->IsUndefined()) return 0; | 13074 if (break_point_objects()->IsUndefined()) return 0; |
| 13071 // Single break point. | 13075 // Single break point. |
| 13072 if (!break_point_objects()->IsFixedArray()) return 1; | 13076 if (!break_point_objects()->IsFixedArray()) return 1; |
| 13073 // Multiple break points. | 13077 // Multiple break points. |
| 13074 return FixedArray::cast(break_point_objects())->length(); | 13078 return FixedArray::cast(break_point_objects())->length(); |
| 13075 } | 13079 } |
| 13076 #endif // ENABLE_DEBUGGER_SUPPORT | 13080 #endif // ENABLE_DEBUGGER_SUPPORT |
| 13077 | 13081 |
| 13078 | 13082 |
| 13079 } } // namespace v8::internal | 13083 } } // namespace v8::internal |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9365055:
Fix crashing bugs in store-and-grow IC for double values. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge