projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 559826f)
Elements field of newly allocated JSArray could be left uninitialized in some cases...
authorishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Mon, 3 Feb 2014 13:33:26 +0000 (13:33 +0000)
committerishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Mon, 3 Feb 2014 13:33:26 +0000 (13:33 +0000)
BUG=340124
LOG=Y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/152673004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19026 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/hydrogen.cc patch | blob | history

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 478d938..298496f 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9906,6 +9906,13 @@ HInstruction* HOptimizedGraphBuilder::BuildFastLiteral(
   if (elements_size > 0) {
     HValue* object_elements_size = Add<HConstant>(elements_size);
     if (boilerplate_object->HasFastDoubleElements()) {
+      // Allocation folding will not be able to fold |object| and
+      // |object_elements| together in some cases, so initialize
+      // elements with the undefined to make GC happy.
+      HConstant* empty_fixed_array = Add<HConstant>(
+          isolate()->factory()->empty_fixed_array());
+      Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+                            empty_fixed_array, INITIALIZING_STORE);
       object_elements = Add<HAllocate>(object_elements_size, HType::JSObject(),
           pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE, site_context->current());
     } else {
Domain: Web Framework / Web Engine;