You need to handle allocation failure.
http://codereview.chromium.org/661179/diff/1005/1006 File src/ia32/codegen-ia32.cc (right): http://codereview.chromium.org/661179/diff/1005/1006#newcode5817 src/ia32/codegen-ia32.cc:5817: I assume this is just a move, with no changes in the function. http://codereview.chromium.org/661179/diff/1005/1006#newcode6015 src/ia32/codegen-ia32.cc:6015: Result result = frame_->Pop(); Remember to do result.ToRegister() and result.Spill(). http://codereview.chromium.org/661179/diff/1005/1006#newcode6029 src/ia32/codegen-ia32.cc:6029: __ j(not_equal, &end); Move frame_->Push(&result) after bind(&end) so it becomes obvious that we return result.reg() in either case. (That's what happens now anyway, it's hard to see). http://codereview.chromium.org/661179/diff/1005/1006#newcode6035 src/ia32/codegen-ia32.cc:6035: __ AllocateHeapNumber(result.reg(), scratch.reg(), no_reg, &end); If allocation fails, result.reg() have been changed to point to unallocated memory (very near the end of the newspace semispace). On failure you should go to somewhere that calls runtime and does finishes the job instead of just returning and (eventually) crashing. http://codereview.chromium.org/661179 -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
