Version 4.7.80.20 (cherry-pick)
Merged c227dd5734efa41e4973c834c910bb684a9e1998
Refactor array construction for map, filter
BUG=chromium:544991
LOG=N
TBR=littledan@chromium.org
Review URL: https://codereview.chromium.org/1431073002 .
Cr-Commit-Position: refs/branch-heads/4.7@{#31}
Cr-Branched-From: f3c89267db0fc6120d95046c3ff35a35ca34614f-refs/heads/master@{#31014}
diff --git a/include/v8-version.h b/include/v8-version.h
index 22663e8..b3dffc6 100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 4
#define V8_MINOR_VERSION 7
#define V8_BUILD_NUMBER 80
-#define V8_PATCH_LEVEL 19
+#define V8_PATCH_LEVEL 20
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/src/array.js b/src/array.js
index b2b038d..bf04bb7 100644
--- a/src/array.js
+++ b/src/array.js
@@ -1198,7 +1198,9 @@
}
}
}
- return accumulator;
+ var result = new GlobalArray();
+ %MoveArrayContents(accumulator, result);
+ return result;
}
function ArrayFilter(f, receiver) {
@@ -1208,10 +1210,7 @@
// loop will not affect the looping and side effects are visible.
var array = TO_OBJECT(this);
var length = TO_LENGTH_OR_UINT32(array.length);
- var accumulator = InnerArrayFilter(f, receiver, array, length);
- var result = new GlobalArray();
- %MoveArrayContents(accumulator, result);
- return result;
+ return InnerArrayFilter(f, receiver, array, length);
}
function InnerArrayForEach(f, receiver, array, length) {
@@ -1311,7 +1310,9 @@
accumulator[i] = %_Call(f, receiver, element, i, array);
}
}
- return accumulator;
+ var result = new GlobalArray();
+ %MoveArrayContents(accumulator, result);
+ return result;
}
@@ -1322,10 +1323,7 @@
// loop will not affect the looping and side effects are visible.
var array = TO_OBJECT(this);
var length = TO_LENGTH_OR_UINT32(array.length);
- var accumulator = InnerArrayMap(f, receiver, array, length);
- var result = new GlobalArray();
- %MoveArrayContents(accumulator, result);
- return result;
+ return InnerArrayMap(f, receiver, array, length);
}
diff --git a/test/mjsunit/regress/regress-544991.js b/test/mjsunit/regress/regress-544991.js
new file mode 100644
index 0000000..dc09fae
--- /dev/null
+++ b/test/mjsunit/regress/regress-544991.js
@@ -0,0 +1,15 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var typedArray = new Int8Array(1);
+var saved;
+var called;
+typedArray.constructor = function(x) { called = true; saved = x };
+typedArray.constructor.prototype = Int8Array.prototype;
+typedArray.map(function(){});
+
+// To meet the spec, constructor shouldn't be called directly, but
+// if it is called for now, the argument should be an Array
+assertTrue(called); // Will fail later; when so, delete this test
+assertEquals("Array", saved.constructor.name);
