Reviewers: Hannes Payer,
Message:
PTAL
Description:
Elements field of newly allocated JSArray could be left uninitialized in
some
cases (fast literal case).
BUG=340124
LOG=Y
Please review this at https://codereview.chromium.org/139343015/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+5, -0 lines):
M src/hydrogen.cc
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
a4c0df2bc5e64f5b2c36d0aa25da1c3bdc214ac9..e6472555f306043f6a28fb55841370b187e0aed1
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -10001,6 +10001,11 @@ HInstruction*
HOptimizedGraphBuilder::BuildFastLiteral(
if (elements_size > 0) {
HValue* object_elements_size = Add<HConstant>(elements_size);
if (boilerplate_object->HasFastDoubleElements()) {
+ // Allocation folding will not be able to fold |object| and
+ // |object_elements| together in some cases, so initialize
+ // elements with the undefined to make GC happy.
+ Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+ graph()->GetConstantUndefined(), INITIALIZING_STORE);
object_elements = Add<HAllocate>(object_elements_size,
HType::JSObject(),
pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE,
site_context->current());
} else {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
