From: ishell@chromium.org <ishell@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 3 Feb 2014 13:33:26 +0000 (+0000)
Subject: Elements field of newly allocated JSArray could be left uninitialized in some cases... 
X-Git-Tag: upstream/4.7.83~10905
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b98637ce5e7401f609ed2c476af39dbcfe64ab4a;p=platform%2Fupstream%2Fv8.git

Elements field of newly allocated JSArray could be left uninitialized in some cases (fast literal case).

BUG=340124
LOG=Y
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/152673004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19026 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index 478d938..298496f 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9906,6 +9906,13 @@ HInstruction* HOptimizedGraphBuilder::BuildFastLiteral(
   if (elements_size > 0) {
     HValue* object_elements_size = Add<HConstant>(elements_size);
     if (boilerplate_object->HasFastDoubleElements()) {
+      // Allocation folding will not be able to fold |object| and
+      // |object_elements| together in some cases, so initialize
+      // elements with the undefined to make GC happy.
+      HConstant* empty_fixed_array = Add<HConstant>(
+          isolate()->factory()->empty_fixed_array());
+      Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+                            empty_fixed_array, INITIALIZING_STORE);
       object_elements = Add<HAllocate>(object_elements_size, HType::JSObject(),
           pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE, site_context->current());
     } else {