Drive-by-comments on the regression test.
https://chromiumcodereview.appspot.com/11931037/diff/14001/test/cctest/test-heap.cc File test/cctest/test-heap.cc (right): https://chromiumcodereview.appspot.com/11931037/diff/14001/test/cctest/test-heap.cc#newcode2749 test/cctest/test-heap.cc:2749: ASSERT(limit != *limit_addr); I think we can drop the assertion whether the limit changed after a GC. https://chromiumcodereview.appspot.com/11931037/diff/14001/test/cctest/test-heap.cc#newcode2757 test/cctest/test-heap.cc:2757: JSArray::kSize + AllocationSiteInfo::kSize + Wouldn't it be better to just allocate the array completely at the end of new-space without any allocation-site info and trailing pointer? This should still trigger the crash and on top of that make sure that the stub doesn't read a single pointer out of bounds. Also it would make the test case much simpler. https://chromiumcodereview.appspot.com/11931037/ -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
