Closed
Bug 1287520
Opened 9 years ago
Closed 9 years ago
Incorrect IsPackedArray optimization in Array.prototype.concat
Categories
(Core :: JavaScript: Standard Library, defect)
Core
JavaScript: Standard Library
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | unaffected |
| firefox48 | --- | affected |
| firefox49 | --- | affected |
| firefox-esr45 | --- | unaffected |
| firefox50 | --- | fixed |
People
(Reporter: anba, Assigned: arai)
References
()
Details
Attachments
(1 file)
|
1.98 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The `IsPackedArray` optimization in ArrayConcat is not correct when proxies are used.
Test case:
---
var a = [1, 2, 3];
a.constructor = {
[Symbol.species]: function(...args) {
var p = new Proxy(new Array(...args), {
defineProperty(target, propertyKey, receiver) {
if (propertyKey === "0") delete a[1];
return Reflect.defineProperty(target, propertyKey, receiver);
}
});
return p;
}
};
var p = a.concat();
print(1 in p);
---
Expected: Prints "false"
Actual: Prints "true"
|
Assignee | |
Comment 1•9 years ago
|
||
Thanks :)
https://dxr.mozilla.org/mozilla-central/rev/4c05938a64a7fde3ac2d7f4493aee1c5f2ad8a0a/js/src/builtin/Array.js#993
> if (IsPackedArray(E)) {
So, we should check `IsPackedArray(A)` there too.
Will post a patch after performance check.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•9 years ago
|
||
Before entering optimized path for packed array, added a check for `IsPackedArray(A)`, to avoid entering it when the result array is a Proxy or some complicated thing.
I don't see any notable performance regression with this.
Attachment #8772224 -
Flags: review?(efaustbmo)
|
|
Assignee | |
Updated•9 years ago
|
|
|
Assignee | |
Updated•9 years ago
|
Blocks: 1233642
status-firefox47:
--- → unaffected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox-esr45:
--- → unaffected
|
||
Updated•9 years ago
|
Attachment #8772224 -
Flags: review?(efaustbmo) → review+
|
|
Assignee | |
Comment 3•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b40a60e2a4e138d4b99805b5471bcff268817f9a
Bug 1287520 - Check IsPackedArray for the result array in Array.prototype.concat. r=efaust
|
||
Comment 4•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•