Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(28)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/objects-inl.h

Issue 15739003: Fix unexpected elements transition in JSON.parse (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-241344.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 1487 matching lines...) Expand 10 before | Expand all | Expand 10 after
1498 if (!maybe->To(&map)) return maybe; 1498 if (!maybe->To(&map)) return maybe;
1499 set_map(map); 1499 set_map(map);
1500 initialize_elements(); 1500 initialize_elements();
1501 1501
1502 return this; 1502 return this;
1503 } 1503 }
1504 1504
1505 1505
1506 MaybeObject* JSObject::AllocateStorageForMap(Map* map) { 1506 MaybeObject* JSObject::AllocateStorageForMap(Map* map) {
1507 ASSERT(this->map()->inobject_properties() == map->inobject_properties()); 1507 ASSERT(this->map()->inobject_properties() == map->inobject_properties());
1508 ElementsKind expected_kind = this->map()->elements_kind(); 1508 ElementsKind obj_kind = this->map()->elements_kind();
1509 if (map->elements_kind() != expected_kind) { 1509 ElementsKind map_kind = map->elements_kind();
1510 MaybeObject* maybe_map = map->AsElementsKind(expected_kind); 1510 if (map_kind != obj_kind) {
1511 ElementsKind to_kind = map_kind;
1512 if (IsMoreGeneralElementsKindTransition(map_kind, obj_kind) ||
1513 IsDictionaryElementsKind(obj_kind)) {
1514 to_kind = obj_kind;
1515 }
1516 MaybeObject* maybe_obj =
1517 IsDictionaryElementsKind(to_kind) ? NormalizeElements()
1518 : TransitionElementsKind(to_kind);
1519 if (maybe_obj->IsFailure()) return maybe_obj;
1520 MaybeObject* maybe_map = map->AsElementsKind(to_kind);
1511 if (!maybe_map->To(&map)) return maybe_map; 1521 if (!maybe_map->To(&map)) return maybe_map;
1512 } 1522 }
1513 int total_size = 1523 int total_size =
1514 map->NumberOfOwnDescriptors() + map->unused_property_fields(); 1524 map->NumberOfOwnDescriptors() + map->unused_property_fields();
1515 int out_of_object = total_size - map->inobject_properties(); 1525 int out_of_object = total_size - map->inobject_properties();
1516 if (out_of_object != properties()->length()) { 1526 if (out_of_object != properties()->length()) {
1517 FixedArray* new_properties; 1527 FixedArray* new_properties;
1518 MaybeObject* maybe_properties = properties()->CopySize(out_of_object); 1528 MaybeObject* maybe_properties = properties()->CopySize(out_of_object);
1519 if (!maybe_properties->To(&new_properties)) return maybe_properties; 1529 if (!maybe_properties->To(&new_properties)) return maybe_properties;
1520 set_properties(new_properties); 1530 set_properties(new_properties);
(...skipping 4671 matching lines...) Expand 10 before | Expand all | Expand 10 after
6192 #undef WRITE_UINT32_FIELD 6202 #undef WRITE_UINT32_FIELD
6193 #undef READ_SHORT_FIELD 6203 #undef READ_SHORT_FIELD
6194 #undef WRITE_SHORT_FIELD 6204 #undef WRITE_SHORT_FIELD
6195 #undef READ_BYTE_FIELD 6205 #undef READ_BYTE_FIELD
6196 #undef WRITE_BYTE_FIELD 6206 #undef WRITE_BYTE_FIELD
6197 6207
6198 6208
6199 } } // namespace v8::internal 6209 } } // namespace v8::internal
6200 6210
6201 #endif // V8_OBJECTS_INL_H_ 6211 #endif // V8_OBJECTS_INL_H_
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-241344.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698