Push version 2.0.1 to trunk.
Fixed crash bug in String.prototype.replace.
Reverted a change which caused Chromium interactive ui test failures.
git-svn-id: http://v8.googlecode.com/svn/trunk@3339 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
diff --git a/src/runtime.cc b/src/runtime.cc
index ccb8885..6ae2233 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -1750,10 +1750,10 @@
// Index of end of last match.
int prev = 0;
- // Number of parts added by compiled replacement plus preceeding string
- // and possibly suffix after last match. It is possible for compiled
- // replacements to use two elements when encoded as two smis.
- const int parts_added_per_loop = compiled_replacement.parts() * 2 + 2;
+ // Number of parts added by compiled replacement plus preceeding
+ // string and possibly suffix after last match. It is possible for
+ // all components to use two elements when encoded as two smis.
+ const int parts_added_per_loop = 2 * (compiled_replacement.parts() + 2);
bool matched = true;
do {
ASSERT(last_match_info_handle->HasFastElements());
@@ -2356,12 +2356,20 @@
ASSERT(args.length() == 3);
CONVERT_CHECKED(String, value, args[0]);
- CONVERT_DOUBLE_CHECKED(from_number, args[1]);
- CONVERT_DOUBLE_CHECKED(to_number, args[2]);
-
- int start = FastD2I(from_number);
- int end = FastD2I(to_number);
-
+ Object* from = args[1];
+ Object* to = args[2];
+ int start, end;
+ // We have a fast integer-only case here to avoid a conversion to double in
+ // the common case where from and to are Smis.
+ if (from->IsSmi() && to->IsSmi()) {
+ start = Smi::cast(from)->value();
+ end = Smi::cast(to)->value();
+ } else {
+ CONVERT_DOUBLE_CHECKED(from_number, from);
+ CONVERT_DOUBLE_CHECKED(to_number, to);
+ start = FastD2I(from_number);
+ end = FastD2I(to_number);
+ }
RUNTIME_ASSERT(end >= start);
RUNTIME_ASSERT(start >= 0);
RUNTIME_ASSERT(end <= value->length());