A JSArray may have a filler map in the elements pointer.
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().
Discovered by ClusterFuzz crbug 347903.
R=hpayer@chromium.org
LOG=N
BUG=347903
Review URL: https://codereview.chromium.org/
184493002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604
ce2b1a6d-e550-0410-aec6-
3dcde31c8c00
projects / platform / upstream / v8.git / commit