[v8-dev] [v8] r24038 committed - Version 3.27.34.20 (merged r23727)...

[codesite-noreply via v8-dev]

Revision: 24038
Author:   verwa...@chromium.org
Date:     Thu Sep 18 12:31:55 2014 UTC
Log:      Version 3.27.34.20 (merged r23727)
Allocate a new empty number dictionary when resetting elements

BUG=410332
LOG=N
R=yang...@chromium.org

Review URL: https://codereview.chromium.org/583533003
https://code.google.com/p/v8/source/detail?r=24038

Added:
 /branches/3.27/test/mjsunit/regress/regress-reset-dictionary-elements.js
Modified:
 /branches/3.27/src/objects-inl.h
 /branches/3.27/src/objects.cc
 /branches/3.27/src/version.cc

=======================================
--- /dev/null
+++  
/branches/3.27/test/mjsunit/regress/regress-reset-dictionary-elements.js	 
Thu Sep 18 12:31:55 2014 UTC
@@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = [];
+a[10000] = 1;
+a.length = 0;
+a[1] = 1;
+a.length = 0;
+assertEquals(undefined, a[1]);
+
+var o = {};
+Object.freeze(o);
+assertEquals(undefined, o[1]);
=======================================
--- /branches/3.27/src/objects-inl.h    Mon Jun 16 11:20:10 2014 UTC
+++ /branches/3.27/src/objects-inl.h    Thu Sep 18 12:31:55 2014 UTC
@@ -2738,9 +2738,6 @@
       GetHeap()->EmptyFixedTypedArrayForMap(this);
     ASSERT(!GetHeap()->InNewSpace(empty_array));
     return empty_array;
-  } else if (has_dictionary_elements()) {
-     
ASSERT(!GetHeap()->InNewSpace(GetHeap()->empty_slow_element_dictionary()));
-    return GetHeap()->empty_slow_element_dictionary();
   } else {
     UNREACHABLE();
   }
=======================================
--- /branches/3.27/src/objects.cc       Mon Aug 25 19:32:23 2014 UTC
+++ /branches/3.27/src/objects.cc       Thu Sep 18 12:31:55 2014 UTC
@@ -4793,9 +4793,15 @@


 void JSObject::ResetElements(Handle<JSObject> object) {
-  Heap* heap = object->GetIsolate()->heap();
-  CHECK(object->map() != heap->sloppy_arguments_elements_map());
-  object->set_elements(object->map()->GetInitialElements());
+  Isolate* isolate = object->GetIsolate();
+  CHECK(object->map() != isolate->heap()->sloppy_arguments_elements_map());
+  if (object->map()->has_dictionary_elements()) {
+    Handle<SeededNumberDictionary> new_elements =
+        SeededNumberDictionary::New(isolate, 0);
+    object->set_elements(*new_elements);
+  } else {
+    object->set_elements(object->map()->GetInitialElements());
+  }
 }


=======================================
--- /branches/3.27/src/version.cc       Thu Sep 11 13:38:49 2014 UTC
+++ /branches/3.27/src/version.cc       Thu Sep 18 12:31:55 2014 UTC
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     27
 #define BUILD_NUMBER      34
-#define PATCH_LEVEL       19
+#define PATCH_LEVEL       20
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.