Reviewers: Hannes Payer,
Message:
PTAL
Description:
Elements field of newly allocated JSArray could be left uninitialized in
some
cases (fast literal case).
BUG=340124
LOG=Y
Please review this at https://codereview.chromium.org/152673004/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+7, -0 lines):
M src/hydrogen.cc
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
478d938cf6fa27d74994d43674af59ca7f05ef41..298496f3a7ea99c272a0467af5c8bd9214b18426
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9906,6 +9906,13 @@ HInstruction*
HOptimizedGraphBuilder::BuildFastLiteral(
if (elements_size > 0) {
HValue* object_elements_size = Add<HConstant>(elements_size);
if (boilerplate_object->HasFastDoubleElements()) {
+ // Allocation folding will not be able to fold |object| and
+ // |object_elements| together in some cases, so initialize
+ // elements with the undefined to make GC happy.
+ HConstant* empty_fixed_array = Add<HConstant>(
+ isolate()->factory()->empty_fixed_array());
+ Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+ empty_fixed_array, INITIALIZING_STORE);
object_elements = Add<HAllocate>(object_elements_size,
HType::JSObject(),
pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE,
site_context->current());
} else {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
