Protect the emptiness of Array prototype elements with a PropertyCell.
authormvstanton <mvstanton@chromium.org>
Wed, 22 Apr 2015 08:50:30 +0000 (01:50 -0700)
committerCommit bot <commit-bot@chromium.org>
Wed, 22 Apr 2015 08:50:14 +0000 (08:50 +0000)
commitb6f075f0010df31acac38c1857dd4e474d5c8ca4
tree27df059aeb2fa4a7967bb258d0da264934dbb4c1
parent310d205c8f032cf268271c6c4d6a97495fc51220
Protect the emptiness of Array prototype elements with a PropertyCell.

Not just emptiness, but also a particular structure.

BUG=v8:4044
LOG=N

Review URL: https://codereview.chromium.org/1092043002

Cr-Commit-Position: refs/heads/master@{#27993}
12 files changed:
src/builtins.cc
src/compilation-dependencies.h
src/heap/heap.cc
src/heap/heap.h
src/hydrogen.h
src/isolate.cc
src/isolate.h
src/objects.cc
src/objects.h
test/cctest/test-api.cc
test/mjsunit/concurrent-initial-prototype-change.js
test/mjsunit/elide-double-hole-check-12.js [new file with mode: 0644]