AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Fix property array length calculation in TransformPropertiesToFastFor.

Browse Source 
It was silently assumed that inobject_properties value is not too large.
Recent introduction of inobject slack tracking made the assumption false
and debug tests with no snapshot failed.

Review URL: http://codereview.chromium.org/3584004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5575 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
kaznacheev@chromium.org 2010-10-01 12:40:30 +00:00
parent a11fb492fa
commit f1d057dfec
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/objects.cc
View File

@ -8719,6 +8719,11 @@ Object* StringDictionary::TransformPropertiesToFastFor(
int inobject_props = obj->map()->inobject_properties();
int number_of_allocated_fields =
number_of_fields + unused_property_fields - inobject_props;
if (number_of_allocated_fields < 0) {
// There is enough inobject space for all fields (including unused).
number_of_allocated_fields = 0;
unused_property_fields = inobject_props - number_of_fields;
}
// Allocate the fixed array for the fields.
Object* fields = Heap::AllocateFixedArray(number_of_allocated_fields);