[MERGE chakra-core#2337 @obastemur] bug-fix: 9575461 - IsConcatSpreadable is called twice

obastemur · obastemur · commit c1623a6ae6c6 · 2017-01-09T21:46:34.000-08:00
Merge pull request chakra-core#2337 from obastemur:9575461
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -2997,7 +2997,9 @@ namespace Js
     }
 
     template<typename T>
-    void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start, BigIndex startIdxDest, BOOL FirstPromotedItemIsSpreadable, BigIndex FirstPromotedItemLength)
+    void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds,
+        Js::Arguments& args, ScriptContext* scriptContext, uint start, BigIndex startIdxDest,
+        BOOL FirstPromotedItemIsSpreadable, BigIndex FirstPromotedItemLength, bool spreadableCheckedAndTrue)
     {
         // This never gets called.
         Throw::InternalError();
@@ -3006,7 +3008,9 @@ namespace Js
     // Helper for EntryConcat. Concat args or elements of arg arrays into dest array.
     //
     template<typename T>
-    void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength)
+    void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds,
+        Js::Arguments& args, ScriptContext* scriptContext, uint start, uint startIdxDest,
+        BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue)
     {
         JavascriptArray* pDestArray = nullptr;
 
@@ -3019,8 +3023,8 @@ namespace Js
         for (uint idxArg = start; idxArg < args.Info.Count; idxArg++)
         {
             Var aItem = args[idxArg];
-            BOOL spreadable = false;
-            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
+            bool spreadable = spreadableCheckedAndTrue;
+            if (!spreadable && scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
             {
                 // firstPromotedItemIsSpreadable is ONLY used to resume after a type promotion from uint32 to uint64
                 // we do this because calls to IsConcatSpreadable are observable (a big deal for proxies) and we don't
@@ -3034,6 +3038,10 @@ namespace Js
                     continue;
                 }
             }
+            else
+            {
+                spreadableCheckedAndTrue = false; // if it was `true`, reset after the first use
+            }
 
             if (pDestArray && JavascriptArray::IsDirectAccessArray(aItem) && JavascriptArray::IsDirectAccessArray(pDestArray)
                 && BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex()) // Fast path
@@ -3151,6 +3159,7 @@ namespace Js
             pDestArray->SetLength(ConvertToIndex<T, uint32>(idxDest, scriptContext));
         }
     }
+
     bool JavascriptArray::PromoteToBigIndex(BigIndex lhs, BigIndex rhs)
     {
         return false; // already a big index
@@ -3173,17 +3182,25 @@ namespace Js
         for (uint idxArg = 0; idxArg < args.Info.Count; idxArg++)
         {
             Var aItem = args[idxArg];
+            bool spreadableCheckedAndTrue = false;
 
-            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))
+            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
             {
-                pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
-                idxDest = idxDest + 1;
-                if (!JavascriptNativeIntArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back
+                if (JavascriptOperators::IsConcatSpreadable(aItem))
                 {
-                    ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);
-                    return pDestArray;
+                    spreadableCheckedAndTrue = true;
+                }
+                else
+                {
+                    pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
+                    idxDest = idxDest + 1;
+                    if (!JavascriptNativeIntArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back
+                    {
+                        ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);
+                        return pDestArray;
+                    }
+                    continue;
                 }
-                continue;
             }
 
             if (JavascriptNativeIntArray::Is(aItem)) // Fast path
@@ -3220,7 +3237,7 @@ namespace Js
             else
             {
                 JavascriptArray *pVarDestArray = JavascriptNativeIntArray::ConvertToVarArray(pDestArray);
-                ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
+                ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, spreadableCheckedAndTrue);
                 return pVarDestArray;
             }
         }
@@ -3238,18 +3255,26 @@ namespace Js
         {
             Var aItem = args[idxArg];
 
-            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))
-            {
-
-                pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
+            bool spreadableCheckedAndTrue = false;
 
-                idxDest = idxDest + 1;
-                if (!JavascriptNativeFloatArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back
+            if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
+            {
+                if (JavascriptOperators::IsConcatSpreadable(aItem))
                 {
-                    ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);
-                    return pDestArray;
+                    spreadableCheckedAndTrue = true;
+                }
+                else
+                {
+                    pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);
+
+                    idxDest = idxDest + 1;
+                    if (!JavascriptNativeFloatArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back
+                    {
+                        ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);
+                        return pDestArray;
+                    }
+                    continue;
                 }
-                continue;
             }
 
             bool converted;
@@ -3270,9 +3295,10 @@ namespace Js
                 else
                 {
                     JavascriptArray *pVarDestArray = JavascriptNativeFloatArray::ConvertToVarArray(pDestArray);
-                    ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);
+                    ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, spreadableCheckedAndTrue);
                     return pVarDestArray;
                 }
+
                 if (converted)
                 {
                     // Copying the last array forced a conversion, so switch over to the var version
diff --git a/lib/Runtime/Library/JavascriptArray.h b/lib/Runtime/Library/JavascriptArray.h
@@ -123,7 +123,7 @@ namespace Js
         static const uint8 AllocationBucketIndex = 0;
         // 1st column in allocationBuckets that stores no. of missing elements to initialize for given bucket
         static const uint8 MissingElementsCountIndex = 1;
-        // 2nd column in allocationBuckets that stores allocation size for given bucket 
+        // 2nd column in allocationBuckets that stores allocation size for given bucket
         static const uint8 AllocationSizeIndex = 2;
 #if defined(_M_X64_OR_ARM64)
         static const uint8 AllocationBucketsCount = 3;
@@ -780,9 +780,9 @@ namespace Js
         static void SetConcatItem(Var aItem, uint idxArg, JavascriptArray* pDestArray, RecyclableObject* pDestObj, T idxDest, ScriptContext *scriptContext);
 
         template<typename T>
-        static void ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start, BigIndex startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength);
+        static void ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start, BigIndex startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue = false);
         template<typename T>
-        static void ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start = 0, uint startIdxDest = 0u, BOOL FirstPromotedItemIsSpreadable = false, BigIndex FirstPromotedItemLength = 0u);
+        static void ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start = 0, uint startIdxDest = 0u, BOOL FirstPromotedItemIsSpreadable = false, BigIndex FirstPromotedItemLength = 0u, bool spreadableCheckedAndTrue = false);
         static JavascriptArray* ConcatIntArgs(JavascriptNativeIntArray* pDestArray, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext);
         static bool PromoteToBigIndex(BigIndex lhs, BigIndex rhs);
         static bool PromoteToBigIndex(BigIndex lhs, uint32 rhs);
diff --git a/test/Array/bug_9575461.js b/test/Array/bug_9575461.js
@@ -0,0 +1,28 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+var obj = [1, 2, 3];
+var cc_base = [-2, -1, 0];
+var isCS = false;
+var counter = 0;
+
+Object.defineProperty(obj, Symbol.isConcatSpreadable, {
+    get : function () {
+        counter++;
+        obj[2] = isCS ? "Some String inserted" : 123;
+        isCS = !isCS;
+        return isCS;
+    }
+});
+
+var MAY_THROW = function(n, result) {
+    if (!result) throw new Error(n + ". FAILED");
+};
+
+MAY_THROW(0, cc_base.concat(obj).length == 6);
+MAY_THROW(1, cc_base.concat(obj).length == 4);
+MAY_THROW(2, counter == 2 && !isCS);
+
+print("PASS");
diff --git a/test/Array/rlexe.xml b/test/Array/rlexe.xml
@@ -728,4 +728,9 @@
       <tags>BugFix</tags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug_9575461.js</files>
+    </default>
+  </test>
 </regress-exe>

Original file line number	Diff line number	Diff line change
`@@ -2997,7 +2997,9 @@ namespace Js`
`2997`	`2997`	`}`
`2998`	`2998`
`2999`	`2999`	`template<typename T>`
`3000`		`- void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start, BigIndex startIdxDest, BOOL FirstPromotedItemIsSpreadable, BigIndex FirstPromotedItemLength)`
	`3000`	`+ void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds,`
	`3001`	`+ Js::Arguments& args, ScriptContext* scriptContext, uint start, BigIndex startIdxDest,`
	`3002`	`+ BOOL FirstPromotedItemIsSpreadable, BigIndex FirstPromotedItemLength, bool spreadableCheckedAndTrue)`
`3001`	`3003`	`{`
`3002`	`3004`	`// This never gets called.`
`3003`	`3005`	`Throw::InternalError();`
`@@ -3006,7 +3008,9 @@ namespace Js`
`3006`	`3008`	`// Helper for EntryConcat. Concat args or elements of arg arrays into dest array.`
`3007`	`3009`	`//`
`3008`	`3010`	`template<typename T>`
`3009`		`- void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds, Js::Arguments& args, ScriptContext* scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength)`
	`3011`	`+ void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds,`
	`3012`	`+ Js::Arguments& args, ScriptContext* scriptContext, uint start, uint startIdxDest,`
	`3013`	`+ BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue)`
`3010`	`3014`	`{`
`3011`	`3015`	`JavascriptArray* pDestArray = nullptr;`
`3012`	`3016`
`@@ -3019,8 +3023,8 @@ namespace Js`
`3019`	`3023`	`for (uint idxArg = start; idxArg < args.Info.Count; idxArg++)`
`3020`	`3024`	`{`
`3021`	`3025`	`Var aItem = args[idxArg];`
`3022`		`- BOOL spreadable = false;`
`3023`		`- if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())`
	`3026`	`+ bool spreadable = spreadableCheckedAndTrue;`
	`3027`	`+ if (!spreadable && scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())`
`3024`	`3028`	`{`
`3025`	`3029`	`// firstPromotedItemIsSpreadable is ONLY used to resume after a type promotion from uint32 to uint64`
`3026`	`3030`	`// we do this because calls to IsConcatSpreadable are observable (a big deal for proxies) and we don't`
`@@ -3034,6 +3038,10 @@ namespace Js`
`3034`	`3038`	`continue;`
`3035`	`3039`	`}`
`3036`	`3040`	`}`
	`3041`	`+ else`
	`3042`	`+ {`
	`3043`	+ spreadableCheckedAndTrue = false; // if it was `true`, reset after the first use
	`3044`	`+ }`
`3037`	`3045`
`3038`	`3046`	`if (pDestArray && JavascriptArray::IsDirectAccessArray(aItem) && JavascriptArray::IsDirectAccessArray(pDestArray)`
`3039`	`3047`	`&& BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex()) // Fast path`
`@@ -3151,6 +3159,7 @@ namespace Js`
`3151`	`3159`	`pDestArray->SetLength(ConvertToIndex<T, uint32>(idxDest, scriptContext));`
`3152`	`3160`	`}`
`3153`	`3161`	`}`
	`3162`	`+`
`3154`	`3163`	`bool JavascriptArray::PromoteToBigIndex(BigIndex lhs, BigIndex rhs)`
`3155`	`3164`	`{`
`3156`	`3165`	`return false; // already a big index`
`@@ -3173,17 +3182,25 @@ namespace Js`
`3173`	`3182`	`for (uint idxArg = 0; idxArg < args.Info.Count; idxArg++)`
`3174`	`3183`	`{`
`3175`	`3184`	`Var aItem = args[idxArg];`
	`3185`	`+ bool spreadableCheckedAndTrue = false;`
`3176`	`3186`
`3177`		`- if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))`
	`3187`	`+ if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())`
`3178`	`3188`	`{`
`3179`		`- pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);`
`3180`		`- idxDest = idxDest + 1;`
`3181`		`- if (!JavascriptNativeIntArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back`
	`3189`	`+ if (JavascriptOperators::IsConcatSpreadable(aItem))`
`3182`	`3190`	`{`
`3183`		`- ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);`
`3184`		`- return pDestArray;`
	`3191`	`+ spreadableCheckedAndTrue = true;`
	`3192`	`+ }`
	`3193`	`+ else`
	`3194`	`+ {`
	`3195`	`+ pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);`
	`3196`	`+ idxDest = idxDest + 1;`
	`3197`	`+ if (!JavascriptNativeIntArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back`
	`3198`	`+ {`
	`3199`	`+ ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);`
	`3200`	`+ return pDestArray;`
	`3201`	`+ }`
	`3202`	`+ continue;`
`3185`	`3203`	`}`
`3186`		`- continue;`
`3187`	`3204`	`}`
`3188`	`3205`
`3189`	`3206`	`if (JavascriptNativeIntArray::Is(aItem)) // Fast path`
`@@ -3220,7 +3237,7 @@ namespace Js`
`3220`	`3237`	`else`
`3221`	`3238`	`{`
`3222`	`3239`	`JavascriptArray *pVarDestArray = JavascriptNativeIntArray::ConvertToVarArray(pDestArray);`
`3223`		`- ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);`
	`3240`	`+ ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, spreadableCheckedAndTrue);`
`3224`	`3241`	`return pVarDestArray;`
`3225`	`3242`	`}`
`3226`	`3243`	`}`
`@@ -3238,18 +3255,26 @@ namespace Js`
`3238`	`3255`	`{`
`3239`	`3256`	`Var aItem = args[idxArg];`
`3240`	`3257`
`3241`		`- if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled() && !JavascriptOperators::IsConcatSpreadable(aItem))`
`3242`		`- {`
`3243`		`-`
`3244`		`- pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);`
	`3258`	`+ bool spreadableCheckedAndTrue = false;`
`3245`	`3259`
`3246`		`- idxDest = idxDest + 1;`
`3247`		`- if (!JavascriptNativeFloatArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back`
	`3260`	`+ if (scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())`
	`3261`	`+ {`
	`3262`	`+ if (JavascriptOperators::IsConcatSpreadable(aItem))`
`3248`	`3263`	`{`
`3249`		`- ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);`
`3250`		`- return pDestArray;`
	`3264`	`+ spreadableCheckedAndTrue = true;`
	`3265`	`+ }`
	`3266`	`+ else`
	`3267`	`+ {`
	`3268`	`+ pDestArray->SetItem(idxDest, aItem, PropertyOperation_ThrowIfNotExtensible);`
	`3269`	`+`
	`3270`	`+ idxDest = idxDest + 1;`
	`3271`	`+ if (!JavascriptNativeFloatArray::Is(pDestArray)) // SetItem could convert pDestArray to a var array if aItem is not an integer if so fall back`
	`3272`	`+ {`
	`3273`	`+ ConcatArgs<uint>(pDestArray, remoteTypeIds, args, scriptContext, idxArg + 1, idxDest);`
	`3274`	`+ return pDestArray;`
	`3275`	`+ }`
	`3276`	`+ continue;`
`3251`	`3277`	`}`
`3252`		`- continue;`
`3253`	`3278`	`}`
`3254`	`3279`
`3255`	`3280`	`bool converted;`
`@@ -3270,9 +3295,10 @@ namespace Js`
`3270`	`3295`	`else`
`3271`	`3296`	`{`
`3272`	`3297`	`JavascriptArray *pVarDestArray = JavascriptNativeFloatArray::ConvertToVarArray(pDestArray);`
`3273`		`- ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest);`
	`3298`	`+ ConcatArgs<uint>(pVarDestArray, remoteTypeIds, args, scriptContext, idxArg, idxDest, spreadableCheckedAndTrue);`
`3274`	`3299`	`return pVarDestArray;`
`3275`	`3300`	`}`
	`3301`	`+`
`3276`	`3302`	`if (converted)`
`3277`	`3303`	`{`
`3278`	`3304`	`// Copying the last array forced a conversion, so switch over to the var version`