Reviewers: Jakob,
Message:
Hi Jakob, would you have a look at this follow-on CL? This expands the empty
Array.prototype protection across contexts. It also makes the protection
state
queryable through the value of a cell (could become useful in ic handlers).
The meaning of the cell having the value 1 is that:
a) there are no elements in the array or object prototype chain,
b) the array.prototype's prototype is the object prototype,
If this condition is broken in any context, it's considered broken in all
contexts.
Thanks,
--Michael
Description:
Protect the emptiness of Array prototype elements with a PropertyCell.
Not just emptiness, but also a particular structure.
BUG=v8:4044
LOG=N
Please review this at https://codereview.chromium.org/1092043002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+187, -29 lines):
M src/builtins.cc
M src/compilation-dependencies.h
M src/heap/heap.h
M src/heap/heap.cc
M src/hydrogen.h
M src/isolate.h
M src/isolate.cc
M src/objects.h
M src/objects.cc
M test/cctest/test-api.cc
A + test/mjsunit/elide-double-hole-check-12.js
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
