| Index: src/objects-inl.h
|
| diff --git a/src/objects-inl.h b/src/objects-inl.h
|
| index 40cb1fdeda173008888fa2a09e5bc725ea24f331..95a0eca6a88ac51a04b2e47b59439a104cc4e9ae 100644
|
| --- a/src/objects-inl.h
|
| +++ b/src/objects-inl.h
|
| @@ -1505,9 +1505,19 @@ MaybeObject* JSObject::ResetElements() {
|
|
|
| MaybeObject* JSObject::AllocateStorageForMap(Map* map) {
|
| ASSERT(this->map()->inobject_properties() == map->inobject_properties());
|
| - ElementsKind expected_kind = this->map()->elements_kind();
|
| - if (map->elements_kind() != expected_kind) {
|
| - MaybeObject* maybe_map = map->AsElementsKind(expected_kind);
|
| + ElementsKind obj_kind = this->map()->elements_kind();
|
| + ElementsKind map_kind = map->elements_kind();
|
| + if (map_kind != obj_kind) {
|
| + ElementsKind to_kind = map_kind;
|
| + if (IsMoreGeneralElementsKindTransition(map_kind, obj_kind) ||
|
| + IsDictionaryElementsKind(obj_kind)) {
|
| + to_kind = obj_kind;
|
| + }
|
| + MaybeObject* maybe_obj =
|
| + IsDictionaryElementsKind(to_kind) ? NormalizeElements()
|
| + : TransitionElementsKind(to_kind);
|
| + if (maybe_obj->IsFailure()) return maybe_obj;
|
| + MaybeObject* maybe_map = map->AsElementsKind(to_kind);
|
| if (!maybe_map->To(&map)) return maybe_map;
|
| }
|
| int total_size =
|
|
|
Chromium Code Reviews
Issue 15739003:
Fix unexpected elements transition in JSON.parse (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge