Sorry for the late review.
http://codereview.chromium.org/650043/diff/1/3 File src/builtins.cc (right): http://codereview.chromium.org/650043/diff/1/3#newcode390 src/builtins.cc:390: static bool ArrayPrototypeHasNoElements() { Are these checks enough? I think you can introduce elements higher up the chain like this: Array.prototype.__proto__ = {a:1} Array.prototype.__proto__.__proto__ = {"1":2} a = new Array() a[1] is now 2. Are there any constraints that the array operations will only look one step up the chain, or am I missing something here? Do we have a test on the non-writability of Object and Array prototype fields? http://codereview.chromium.org/650043/diff/1/3#newcode464 src/builtins.cc:464: // TODO(antonm): try to shift/copy RSet bits when moving/copying. Please open an issue and change this TODO to TODO(issue). http://codereview.chromium.org/650043/diff/1/5 File src/objects.h (right): http://codereview.chromium.org/650043/diff/1/5#newcode1629 src/objects.h:1629: // Gives access to raw memory which stores array's data. array's -> the array's http://codereview.chromium.org/650043/diff/1/8 File test/mjsunit/array-elements-from-array-prototype.js (right): http://codereview.chromium.org/650043/diff/1/8#newcode31 test/mjsunit/array-elements-from-array-prototype.js:31: // If add any new tests here, consider adding them to all four files: four == two? http://codereview.chromium.org/650043/diff/1/8#newcode174 test/mjsunit/array-elements-from-array-prototype.js:174: // now owned undefined resides at 4 and rest is shifted right by one Start comment uppercase and end with period. http://codereview.chromium.org/650043/diff/1/9 File test/mjsunit/array-elements-from-object-prototype.js (right): http://codereview.chromium.org/650043/diff/1/9#newcode29 test/mjsunit/array-elements-from-object-prototype.js:29: // Tests below verify that elements set on Array.prototype propagate Array -> Object? http://codereview.chromium.org/650043/diff/1/9#newcode31 test/mjsunit/array-elements-from-object-prototype.js:31: // If add any new tests here, consider adding them to all four files: four == two? http://codereview.chromium.org/650043/diff/1/9#newcode174 test/mjsunit/array-elements-from-object-prototype.js:174: // now owned undefined resides at 4 and rest is shifted right by one Start comment uppercase end with period. http://codereview.chromium.org/650043/diff/1/10 File test/mjsunit/fuzz-natives.js (right): http://codereview.chromium.org/650043/diff/1/10#newcode152 test/mjsunit/fuzz-natives.js:152: // That must only be invoked on Array.prototype. That must -> This can http://codereview.chromium.org/650043 -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
