[Webkit-unassigned] [Bug 185476] [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 9 09:55:54 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=185476
Yusuke Suzuki <utatane.tea at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |utatane.tea at gmail.com
Attachment #339969|review? |review-
Flags| |
--- Comment #2 from Yusuke Suzuki <utatane.tea at gmail.com> ---
Comment on attachment 339969
--> https://bugs.webkit.org/attachment.cgi?id=339969
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=339969&action=review
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:256
> + // If isArray is false, return ? ArrayCreate(length).
> + JSGlobalObject* globalObject = thisObject->globalObject();
> + JSValue newValue = constructArrayWithSizeQuirk(exec, nullptr, globalObject, jsNumber(length), exec->newTarget());
> + JSObject* newObject = newValue.toObject(exec);
> RETURN_IF_EXCEPTION(scope, exceptionResult());
> + return std::make_pair(SpeciesConstructResult::CreatedObject, newObject);
Let's return `std::make_pair(SpeciesConstructResult::FastPath, nullptr)` since it creates an Array(length), it is fast path case.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180509/829b970b/attachment-0001.html>
More information about the webkit-unassigned
mailing list