Reviewers: danno,
Description:
Merge r9153 into 3.5 branch. This fixes a possible crash in
FixedDoubleArray::Initialize().
BUG=95113
Please review this at http://codereview.chromium.org/7779048/
SVN Base: http://v8.googlecode.com/svn/branches/3.5/
Affected files:
M src/objects-inl.h
M src/version.cc
A + test/mjsunit/regress/regress-95113.js
### BEGIN SVN COPY METADATA
#$ cp branches/bleeding_edge/test/mjsunit/regress/regress-95113.js
test/mjsunit/regress/regress-95113.js
### END SVN COPY METADATA
Index: src/objects-inl.h
===================================================================
--- src/objects-inl.h (revision 9148)
+++ src/objects-inl.h (working copy)
@@ -1749,9 +1749,15 @@
void FixedDoubleArray::Initialize(FixedDoubleArray* from) {
int old_length = from->length();
ASSERT(old_length < length());
- OS::MemCopy(FIELD_ADDR(this, kHeaderSize),
- FIELD_ADDR(from, kHeaderSize),
- old_length * kDoubleSize);
+ if (old_length * kDoubleSize >= OS::kMinComplexMemCopy) {
+ OS::MemCopy(FIELD_ADDR(this, kHeaderSize),
+ FIELD_ADDR(from, kHeaderSize),
+ old_length * kDoubleSize);
+ } else {
+ for (int i = 0; i < old_length; ++i) {
+ set(i, from->get_scalar(i));
+ }
+ }
int offset = kHeaderSize + old_length * kDoubleSize;
for (int current = from->length(); current < length(); ++current) {
WRITE_DOUBLE_FIELD(this, offset, hole_nan_as_double());
Index: src/version.cc
===================================================================
--- src/version.cc (revision 9148)
+++ src/version.cc (working copy)
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 5
#define BUILD_NUMBER 10
-#define PATCH_LEVEL 3
+#define PATCH_LEVEL 4
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-95113.js
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
