Elements field of newly allocated JSArray could be left uninitialized in some cases (fast literal case).
BUG=340124 LOG=Y R=hpayer@chromium.org Review URL: https://codereview.chromium.org/152673004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19026 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
parent
559826f649
commit
b98637ce5e
@ -9906,6 +9906,13 @@ HInstruction* HOptimizedGraphBuilder::BuildFastLiteral(
|
||||
if (elements_size > 0) {
|
||||
HValue* object_elements_size = Add<HConstant>(elements_size);
|
||||
if (boilerplate_object->HasFastDoubleElements()) {
|
||||
// Allocation folding will not be able to fold |object| and
|
||||
// |object_elements| together in some cases, so initialize
|
||||
// elements with the undefined to make GC happy.
|
||||
HConstant* empty_fixed_array = Add<HConstant>(
|
||||
isolate()->factory()->empty_fixed_array());
|
||||
Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
|
||||
empty_fixed_array, INITIALIZING_STORE);
|
||||
object_elements = Add<HAllocate>(object_elements_size, HType::JSObject(),
|
||||
pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE, site_context->current());
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user