AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

In ArrayConstructor_StubFailure the transition elements kind was

Browse Source 
ignored on allocation.

BUG=

Review URL: https://codereview.chromium.org/12767004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13931 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
mvstanton@chromium.org 2013-03-13 13:03:59 +00:00
parent 74e7500afa
commit d9ca45b1ca
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/builtins.cc
View File

@ -203,12 +203,6 @@ RUNTIME_FUNCTION(MaybeObject*, ArrayConstructor_StubFailure) {
holey = (value > 0 && value < JSObject::kInitialMaxFastElementArray);
}
ASSERT(function->has_initial_map());
ElementsKind kind = function->initial_map()->elements_kind();
if (holey) {
kind = GetHoleyElementsKind(kind);
}
MaybeObject* maybe_array;
if (*type_info != isolate->heap()->undefined_value()) {
JSGlobalPropertyCell* cell = JSGlobalPropertyCell::cast(*type_info);
@ -224,14 +218,20 @@ RUNTIME_FUNCTION(MaybeObject*, ArrayConstructor_StubFailure) {
AllocationSiteMode mode = AllocationSiteInfo::GetMode(to_kind);
if (mode == TRACK_ALLOCATION_SITE) {
maybe_array = isolate->heap()->AllocateEmptyJSArrayWithAllocationSite(
kind, type_info);
to_kind, type_info);
} else {
maybe_array = isolate->heap()->AllocateEmptyJSArray(kind);
maybe_array = isolate->heap()->AllocateEmptyJSArray(to_kind);
}
if (!maybe_array->To(&array)) return maybe_array;
}
}
ASSERT(function->has_initial_map());
ElementsKind kind = function->initial_map()->elements_kind();
if (holey) {
kind = GetHoleyElementsKind(kind);
}
if (array == NULL) {
maybe_array = isolate->heap()->AllocateEmptyJSArray(kind);
if (!maybe_array->To(&array)) return maybe_array;