WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
131609
Array.prototype.concat should allocate output storage only once.
https://bugs.webkit.org/show_bug.cgi?id=131609
Summary
Array.prototype.concat should allocate output storage only once.
Andreas Kling
Reported
2014-04-14 01:30:29 PDT
Array.prototype.concat should allocate output storage only once.
Attachments
Patch
(3.40 KB, patch)
2014-04-14 01:32 PDT
,
Andreas Kling
oliver
: review-
Details
Formatted Diff
Diff
Patch
(3.48 KB, patch)
2014-04-14 10:50 PDT
,
Andreas Kling
oliver
: review+
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Andreas Kling
Comment 1
2014-04-14 01:32:40 PDT
Created
attachment 229273
[details]
Patch
Darin Adler
Comment 2
2014-04-14 01:36:20 PDT
Comment on
attachment 229273
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=229273&action=review
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421 > + unsigned finalArraySize = 0;
This is unsigned.
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 > + for (size_t i = 0; i <= argCount; ++i) {
Yet this is size_t. What guarantees we don’t overflow the unsigned?
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428 > + curArg = exec->uncheckedArgument(i);
A little lame to do this one extra time at the end of the loop but then discard the result.
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:431 > + JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize);
Go nuts and call this array instead of arr?
Andreas Kling
Comment 3
2014-04-14 09:20:28 PDT
(In reply to
comment #2
)
> (From update of
attachment 229273
[details]
) > View in context:
https://bugs.webkit.org/attachment.cgi?id=229273&action=review
> > > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421 > > + unsigned finalArraySize = 0; > > This is unsigned. > > > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 > > + for (size_t i = 0; i <= argCount; ++i) { > > Yet this is size_t. What guarantees we don’t overflow the unsigned?
Let's Checked<> it.
Andreas Kling
Comment 4
2014-04-14 09:20:37 PDT
Committed
r167249
: <
http://trac.webkit.org/changeset/167249
>
Oliver Hunt
Comment 5
2014-04-14 09:40:28 PDT
Comment on
attachment 229273
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=229273&action=review
>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423 >> + for (size_t i = 0; i <= argCount; ++i) { > > Yet this is size_t. What guarantees we don’t overflow the unsigned?
Why <= argCount? That means we always walk off the end of the argument list. What am i missing?
>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428 >> + curArg = exec->uncheckedArgument(i); > > A little lame to do this one extra time at the end of the loop but then discard the result.
ah i see. do {} while loop instead maybe?
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:442 > for (unsigned k = 0; k < length; ++k) { > - JSValue v = getProperty(exec, curObject, k); > + JSValue v = getProperty(exec, currentArray, k);
currentArray is an object, i would do a canGetFastIndex, and fastGet -- so two loops but the get should be much faster.
WebKit Commit Bot
Comment 6
2014-04-14 10:23:58 PDT
Re-opened since this is blocked by
bug 131621
Andreas Kling
Comment 7
2014-04-14 10:50:20 PDT
Created
attachment 229291
[details]
Patch Derp, let's not read past the last argument, shall we. Wish we had a debug-ews to tell me I'm doing dumb stuff sometimes.
Oliver Hunt
Comment 8
2014-04-14 10:51:51 PDT
Comment on
attachment 229291
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=229291&action=review
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:444 > - JSValue v = getProperty(exec, curObject, k); > + JSValue v = getProperty(exec, currentArray, k);
Follow on patch to optimise this get
Andreas Kling
Comment 9
2014-04-14 11:04:55 PDT
Committed
r167255
: <
http://trac.webkit.org/changeset/167255
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug