src/objects.cc - Issue 9365055: Fix crashing bugs in store-and-grow IC for double values.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 9365055: Fix crashing bugs in store-and-grow IC for double values. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 8 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index 1e90868bc4e11088c9c6ba56954e0cfd78826bfe..c9887679b78a1d9edfde3fb20edb91cdadc72a52 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -8683,23 +8683,25 @@ MaybeObject* JSObject::SetFastDoubleElementsCapacityAndLength(

FixedArrayBase* old_elements = elements();

ElementsKind elements_kind(GetElementsKind());

AssertNoAllocation no_gc;

- switch (elements_kind) {

- case FAST_SMI_ONLY_ELEMENTS:

- case FAST_ELEMENTS: {

- elems->Initialize(FixedArray::cast(old_elements));

- break;

- }

- case FAST_DOUBLE_ELEMENTS: {

- elems->Initialize(FixedDoubleArray::cast(old_elements));

- break;

- }

- case DICTIONARY_ELEMENTS: {

- elems->Initialize(SeededNumberDictionary::cast(old_elements));

- break;

+ if (old_elements->length() != 0) {

+ switch (elements_kind) {

+ case FAST_SMI_ONLY_ELEMENTS:

+ case FAST_ELEMENTS: {

+ elems->Initialize(FixedArray::cast(old_elements));

+ break;

+ }

+ case FAST_DOUBLE_ELEMENTS: {

+ elems->Initialize(FixedDoubleArray::cast(old_elements));

+ break;

+ }

+ case DICTIONARY_ELEMENTS: {

+ elems->Initialize(SeededNumberDictionary::cast(old_elements));

+ break;

+ }

+ default:

+ UNREACHABLE();

+ break;

}

- default:

- UNREACHABLE();

- break;

}

if (FLAG_trace_elements_transitions) {

@@ -9643,13 +9645,14 @@ MUST_USE_RESULT MaybeObject* JSObject::SetFastDoubleElement(

bool check_prototype) {

ASSERT(HasFastDoubleElements());

- FixedDoubleArray* elms = FixedDoubleArray::cast(elements());

- uint32_t elms_length = static_cast<uint32_t>(elms->length());

+ FixedArrayBase* base_elms = FixedArrayBase::cast(elements());

+ uint32_t elms_length = static_cast<uint32_t>(base_elms->length());

// If storing to an element that isn't in the array, pass the store request

// up the prototype chain before storing in the receiver's elements.

if (check_prototype &&

- (index >= elms_length || elms->is_the_hole(index))) {

+ (index >= elms_length ||

+ FixedDoubleArray::cast(base_elms)->is_the_hole(index))) {

bool found;

MaybeObject* result = SetElementWithCallbackSetterInPrototypes(index,

value,

@@ -9684,6 +9687,7 @@ MUST_USE_RESULT MaybeObject* JSObject::SetFastDoubleElement(

// Check whether there is extra space in the fixed array.

if (index < elms_length) {

+ FixedDoubleArray* elms = FixedDoubleArray::cast(elements());

elms->set(index, double_value);

if (IsJSArray()) {

// Update the length of the array if needed.

« no previous file with comments | « src/ia32/stub-cache-ia32.cc ('k') | test/mjsunit/regress/regress-113924.js » ('j') | no next file with comments »