LGTM
http://codereview.chromium.org/660245/diff/15/17 File src/builtins.cc (right): http://codereview.chromium.org/660245/diff/15/17#newcode276 src/builtins.cc:276: Heap::RecordWrites(dst->address(), How about adding a static function to FixedArray calculating FixedArray::kHeaderSize + dst_index * kPointerSize as it is used a couple of times here (like the data_start() you already added). It is actually what FixedArray::SizeFor() does, but I there should be one with a different name. http://codereview.chromium.org/660245/diff/15/19 File src/heap.h (right): http://codereview.chromium.org/660245/diff/15/19#newcode773 src/heap.h:773: // Write barrier support for address[start : start + len] = o. Is start + len included? ([start : start + len] -> [start : start + len[) http://codereview.chromium.org/660245/diff/15/29 File test/mjsunit/fuzz-natives.js (right): http://codereview.chromium.org/660245/diff/15/29#newcode152 test/mjsunit/fuzz-natives.js:152: // That can only be invoked on Array.prototype. That -> This Why can't this survive fuzzing? http://codereview.chromium.org/660245 -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
