projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e3af6b1)
BuildGrowElementsCapacity bounds check used wrong elements kind.
authormvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 1 Jul 2014 14:52:14 +0000 (14:52 +0000)
committermvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Tue, 1 Jul 2014 14:52:14 +0000 (14:52 +0000)
In a refactoring, HGraphBuilder::BuildGrowElementsCapacity() ended up
using the old_elements_kind instead of new_kind when calculating if a
new capacity for an array exceeds Page::kMaxRegularHeapObjectSize.

Repair, such that the check is correct.

R=hpayer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/366583006

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22126 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/hydrogen.cc patch | blob | history

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 51f3efe..a4b72a7 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -2683,7 +2683,7 @@ HValue* HGraphBuilder::BuildGrowElementsCapacity(HValue* object,
                                                  HValue* new_capacity) {
   Add<HBoundsCheck>(new_capacity, Add<HConstant>(
           (Page::kMaxRegularHeapObjectSize - FixedArray::kHeaderSize) >>
-          ElementsKindToShiftSize(kind)));
+          ElementsKindToShiftSize(new_kind)));
 
   HValue* new_elements = BuildAllocateElementsAndInitializeElementsHeader(
       new_kind, new_capacity);
Domain: Web Framework / Web Engine;