AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[heap-verify] Allow for temporary invalid array length for slow elements

Browse Source 
R=jkummerow@chromium.org
BUG=chromium:665112

Review-Url: https://codereview.chromium.org/2501303002
Cr-Commit-Position: refs/heads/master@{#41002}
This commit is contained in:
cbruni 2016-11-15 08:09:25 -08:00 committed by Commit bot
parent bb6a626b76
commit 3a91f8af1a
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/objects-debug.cc
View File

@ -785,12 +785,19 @@ void JSArray::JSArrayVerify() {
elements() == isolate->heap()->empty_fixed_array());
} else {
CHECK(HasDictionaryElements());
uint32_t size;
CHECK(length()->ToArrayLength(&size));
if (size != 0) {
uint32_t array_length;
CHECK(length()->ToArrayLength(&array_length));
if (array_length == 0xffffffff) {
CHECK(length()->ToArrayLength(&array_length));
}
if (array_length != 0) {
SeededNumberDictionary* dict = SeededNumberDictionary::cast(elements());
// The dictionary can never have more elements than the array length.
CHECK(static_cast<uint32_t>(dict->NumberOfElements()) <= size);
// The dictionary can never have more elements than the array length + 1.
// If the backing store grows the verification might be triggered with
// the old length in place.
uint32_t nof_elements = static_cast<uint32_t>(dict->NumberOfElements());
if (nof_elements != 0) nof_elements--;
CHECK_LE(nof_elements, array_length);
}
}
}