projects / platform / upstream / v8.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 41a4831) | patch
Fix for V8 issue 2795: Check fails with deopt for mjsunit/array-store-and-grow
authormvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Mon, 29 Jul 2013 11:50:39 +0000 (11:50 +0000)
committermvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Mon, 29 Jul 2013 11:50:39 +0000 (11:50 +0000)
commite9cc78af7ec7d9504da478b9e1679e86df690b0a
tree77986f193e166f015b82d43a092ddac53152205etree | snapshot
parent41a4831fd9a154c090166f3aaa380e441bc4d2b4commit | diff
Fix for V8 issue 2795: Check fails with deopt for mjsunit/array-store-and-grow
(https://code.google.com/p/v8/issues/detail?id=2795)

The reason is when allocating and building arrays in hydrogen we need to ensure
we do any int32-to-smi conversions BEFORE the allocation. These conversions can
at least theoretically deoptimize. If this happens before all the fields of the
newly allocated object are filled in, we will have a corrupted heap.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/20726002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15929 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
src/hydrogen-instructions.h diff | blob | history
src/hydrogen.cc diff | blob | history
test/mjsunit/array-store-and-grow.js diff | blob | history
Domain: Web Framework / Web Engine;