Revision: 3538 Author: [email protected] Date: Tue Jan 5 04:33:55 2010 Log: - Fixed a bug in the array concat implementation causing the elements in the result to be lost.
Review URL: http://codereview.chromium.org/523055 http://code.google.com/p/v8/source/detail?r=3538 Modified: /branches/bleeding_edge/src/objects.cc /branches/bleeding_edge/src/runtime.cc ======================================= --- /branches/bleeding_edge/src/objects.cc Tue Jan 5 03:38:36 2010 +++ /branches/bleeding_edge/src/objects.cc Tue Jan 5 04:33:55 2010 @@ -6886,7 +6886,7 @@ // 50% is still free after adding n elements and // at most 50% of the free elements are deleted elements. if ((nof + (nof >> 1) <= capacity) && - (nod <= (capacity - nof) >> 1) ) return this; + (nod <= (capacity - nof) >> 1)) return this; Object* obj = Allocate(nof * 2); if (obj->IsFailure()) return obj; ======================================= --- /branches/bleeding_edge/src/runtime.cc Tue Jan 5 01:38:02 2010 +++ /branches/bleeding_edge/src/runtime.cc Tue Jan 5 04:33:55 2010 @@ -5390,6 +5390,8 @@ void increase_index_offset(uint32_t delta) { index_offset_ += delta; } + + Handle<FixedArray> storage() { return storage_; } private: Handle<FixedArray> storage_; @@ -5700,7 +5702,8 @@ IterateArguments(arguments, &visitor); result->set_length(*len); - result->set_elements(*storage); + // Please note the storage might have changed in the visitor. + result->set_elements(*visitor.storage()); return *result; } -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
