projects / platform / upstream / v8.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7dd2d6c) | patch
The Elements pointer in a JSObject can have a filler map instead of a
authormvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Fri, 25 Oct 2013 12:26:47 +0000 (12:26 +0000)
committermvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Fri, 25 Oct 2013 12:26:47 +0000 (12:26 +0000)
commita85c825bb928f379312dac1a2db86f34cbfd54c6
treef3a56614cbaa5933ae081933490b7f42c7a6ed65tree | snapshot
parent7dd2d6c590edcad0a492eb9b4ff107900218518fcommit | diff
The Elements pointer in a JSObject can have a filler map instead of a
valid fixed array, iff a gc occurred while allocating a fixed array as
part of array construction. Heap verification needs protection against
examining the elements object in this case.

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/43383004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17397 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
src/objects-debug.cc diff | blob | history
src/objects-inl.h diff | blob | history
src/objects.h diff | blob | history
test/mjsunit/mjsunit.status diff | blob | history
Domain: Web Framework / Web Engine;