Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(36)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 11017054: Fix CNLT regression. (Closed)

Created:
8 years, 2 months ago by Toon Verwaest
Modified:
8 years, 2 months ago
Reviewers:
Jakob Kummerow
CC:
v8-dev
Visibility:
Public.

Description

Fix CNLT regression. This happens when a map A with no descriptors in fast_holey_elements mode first gets some properties, making it share descriptor arrays with a map B to which it transitions. Then map A transitions elements kind to dictionary_elements in map C. C stores the empty_descriptor_array in its own transition array. When adding a property to C, C transitions to D and shares the descriptors. If D dies, a CNLT clears the transition array of C, making the descriptor array of A (and thus also of B) shine through. If a property is now added to an object in state C, it'll inherit all the properties of A (and B). If those properties had high field indices, we do not have a large enough backing store for the single newly added property, and we'll write out of bounds. BUG=chromium:151749 Committed: https://code.google.com/p/v8/source/detail?r=12687

Patch Set 1 #

Patch Set 2 : Fix the test to also crash in release mode (without the assert) #

Unified diffs Side-by-side diffs Delta from patch set Stats (+20 lines, -17 lines) Patch
M src/objects.cc View 2 chunks +1 line, -11 lines 0 comments Download
M src/objects-printer.cc View 1 chunk +6 lines, -1 line 0 comments Download
A + test/mjsunit/regress/regress-cnlt-elements.js View 1 1 chunk +13 lines, -5 lines 0 comments Download

Messages

Total messages: 2 (0 generated)
Toon Verwaest
PTAL.
8 years, 2 months ago (2012-10-10 12:16:29 UTC) #1
Jakob Kummerow
8 years, 2 months ago (2012-10-10 12:23:59 UTC) #2 
lgtm

Powered by Google App Engine
This is Rietveld 408576698