RESOLVED FIXED 131609
Array.prototype.concat should allocate output storage only once.
https://bugs.webkit.org/show_bug.cgi?id=131609
Summary Array.prototype.concat should allocate output storage only once.
Andreas Kling
Reported 2014-04-14 01:30:29 PDT
Array.prototype.concat should allocate output storage only once.
Attachments
Patch (3.40 KB, patch)
2014-04-14 01:32 PDT, Andreas Kling
oliver: review-
Patch (3.48 KB, patch)
2014-04-14 10:50 PDT, Andreas Kling
oliver: review+
Andreas Kling
Comment 1 2014-04-14 01:32:40 PDT
Darin Adler
Comment 2 2014-04-14 01:36:20 PDT
Comment on attachment 229273 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421 > + unsigned finalArraySize = 0; This is unsigned. > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 > + for (size_t i = 0; i <= argCount; ++i) { Yet this is size_t. What guarantees we don’t overflow the unsigned? > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428 > + curArg = exec->uncheckedArgument(i); A little lame to do this one extra time at the end of the loop but then discard the result. > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:431 > + JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize); Go nuts and call this array instead of arr?
Andreas Kling
Comment 3 2014-04-14 09:20:28 PDT
(In reply to comment #2) > (From update of attachment 229273 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review > > > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421 > > + unsigned finalArraySize = 0; > > This is unsigned. > > > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 > > + for (size_t i = 0; i <= argCount; ++i) { > > Yet this is size_t. What guarantees we don’t overflow the unsigned? Let's Checked<> it.
Andreas Kling
Comment 4 2014-04-14 09:20:37 PDT
Oliver Hunt
Comment 5 2014-04-14 09:40:28 PDT
Comment on attachment 229273 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 >> + for (size_t i = 0; i <= argCount; ++i) { > > Yet this is size_t. What guarantees we don’t overflow the unsigned? Why <= argCount? That means we always walk off the end of the argument list. What am i missing? >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428 >> + curArg = exec->uncheckedArgument(i); > > A little lame to do this one extra time at the end of the loop but then discard the result. ah i see. do {} while loop instead maybe? > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:442 > for (unsigned k = 0; k < length; ++k) { > - JSValue v = getProperty(exec, curObject, k); > + JSValue v = getProperty(exec, currentArray, k); currentArray is an object, i would do a canGetFastIndex, and fastGet -- so two loops but the get should be much faster.
WebKit Commit Bot
Comment 6 2014-04-14 10:23:58 PDT
Re-opened since this is blocked by bug 131621
Andreas Kling
Comment 7 2014-04-14 10:50:20 PDT
Created attachment 229291 [details] Patch Derp, let's not read past the last argument, shall we. Wish we had a debug-ews to tell me I'm doing dumb stuff sometimes.
Oliver Hunt
Comment 8 2014-04-14 10:51:51 PDT
Comment on attachment 229291 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229291&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:444 > - JSValue v = getProperty(exec, curObject, k); > + JSValue v = getProperty(exec, currentArray, k); Follow on patch to optimise this get
Andreas Kling
Comment 9 2014-04-14 11:04:55 PDT
Note You need to log in before you can comment on or make changes to this bug.