diff options
| author | Filip Pizlo <fpizlo@apple.com> | 2013-04-04 12:19:52 +0200 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-04-04 14:32:39 +0200 |
| commit | 23bde0cf8565bb36b9df638de874ad04607e84d3 (patch) | |
| tree | eb1dde5c8bca49220501eb0946b9aa260023665c /Source/JavaScriptCore/runtime/JSArray.h | |
| parent | 2c526bdf6b7096aea3e7aa62d1c0233cb5e619b3 (diff) | |
| download | qtwebkit-23bde0cf8565bb36b9df638de874ad04607e84d3.tar.gz | |
If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized
https://bugs.webkit.org/show_bug.cgi?id=106363
Reviewed by Mark Hahnenberg.
Source/JavaScriptCore:
* runtime/JSArray.h:
(JSC::JSArray::tryCreateUninitialized):
LayoutTests:
* fast/js/jsc-test-list:
* fast/js/new-array-double-with-holes-expected.txt: Added.
* fast/js/new-array-double-with-holes.html: Added.
* fast/js/script-tests/new-array-double-with-holes.js: Added.
(foo):
Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Diffstat (limited to 'Source/JavaScriptCore/runtime/JSArray.h')
| -rw-r--r-- | Source/JavaScriptCore/runtime/JSArray.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h index ea1ed9047..cef3b53ad 100644 --- a/Source/JavaScriptCore/runtime/JSArray.h +++ b/Source/JavaScriptCore/runtime/JSArray.h @@ -245,6 +245,10 @@ inline JSArray* JSArray::tryCreateUninitialized(JSGlobalData& globalData, Struct butterfly = Butterfly::fromBase(temp, 0, 0); butterfly->setVectorLength(vectorLength); butterfly->setPublicLength(initialLength); + if (hasDouble(structure->indexingType())) { + for (unsigned i = initialLength; i < vectorLength; ++i) + butterfly->contiguousDouble()[i] = QNaN; + } } else { void* temp; if (!globalData.heap.tryAllocateStorage(Butterfly::totalSize(0, 0, true, ArrayStorage::sizeFor(vectorLength)), &temp)) |