https://codereview.chromium.org/35133002/diff/1/src/hydrogen.cc
File src/hydrogen.cc (right):
https://codereview.chromium.org/35133002/diff/1/src/hydrogen.cc#newcode2129
src/hydrogen.cc:2129: HType::JSArray(), NOT_TENURED, instance_type);
On 2013/10/23 09:49:34, Hannes Payer wrote:
This is not correct. JS_ARRAY refers to the array object and
FIXED_DOUBLE_ARRAY
to its elements. This change may result in a memory corruption since
potential
mementos behind JS_ARRAY do not get cleared.
What about calling MakeDoubleAligned() instead?
Yes, the problem there is that allocation of array object and its array
of elements is manually folded into one. I am sure it safe, but it is
semantically incorrect to change instance_type. Good point, it is better
to call MakeDoubleAligned. The new patch set will be uploaded soon,
after testing is done.
https://codereview.chromium.org/35133002/
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
