AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] The upper bound for JSArray::length is max uint32.

Browse Source 
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1422373002

Cr-Commit-Position: refs/heads/master@{#31626}
This commit is contained in:
bmeurer 2015-10-28 04:54:28 -07:00 committed by Commit bot
parent 4e00456471
commit 526e41122a
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/compiler/js-native-context-specialization.cc
View File

@ -339,10 +339,10 @@ bool JSNativeContextSpecialization::ComputePropertyAccessInfo(
// The JSArray::length property is a smi in the range
// [0, FixedDoubleArray::kMaxLength] in case of fast double
// elements, a smi in the range [0, FixedArray::kMaxLength]
// in case of other fast elements, and [0, kMaxUInt32-1] in
// in case of other fast elements, and [0, kMaxUInt32] in
// case of other arrays.
Type* field_type_rep = Type::Tagged();
double field_type_upper = kMaxUInt32 - 1;
double field_type_upper = kMaxUInt32;
if (IsFastElementsKind(map->elements_kind())) {
field_type_rep = Type::TaggedSigned();
field_type_upper = IsFastDoubleElementsKind(map->elements_kind())