Revision: 5575 Author: [email protected] Date: Fri Oct 1 05:40:30 2010 Log: Fix property array length calculation in TransformPropertiesToFastFor.
It was silently assumed that inobject_properties value is not too large. Recent introduction of inobject slack tracking made the assumption false and debug tests with no snapshot failed. Review URL: http://codereview.chromium.org/3584004 http://code.google.com/p/v8/source/detail?r=5575 Modified: /branches/bleeding_edge/src/objects.cc ======================================= --- /branches/bleeding_edge/src/objects.cc Fri Sep 24 01:18:33 2010 +++ /branches/bleeding_edge/src/objects.cc Fri Oct 1 05:40:30 2010 @@ -8719,6 +8719,11 @@ int inobject_props = obj->map()->inobject_properties(); int number_of_allocated_fields = number_of_fields + unused_property_fields - inobject_props; + if (number_of_allocated_fields < 0) { + // There is enough inobject space for all fields (including unused). + number_of_allocated_fields = 0; + unused_property_fields = inobject_props - number_of_fields; + } // Allocate the fixed array for the fields. Object* fields = Heap::AllocateFixedArray(number_of_allocated_fields); -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
