2859dba713
Prior to this, AllocateJSArray would go ahead and allocate an empty FixedArray as elements if passed any capacity that is not a compile-time constant 0. Things break later on since we rely on the fact that empty fixed arrays are always canonicalize, and we use obj.elements == empty_fixed_array_constant interchangeably with obj.elements.length == 0. This CL introduces two new branches in AllocateJSArray: one if the capacity is known to be non-zero; and another that explicitly distinguishes between 0 and non-zero capacities. Bug: chromium:760790 Change-Id: I7c22b19ce9ce15a46f91b0f75e6b4a1ff3a29a0f Reviewed-on: https://chromium-review.googlesource.com/645959 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#47776} |
||
|---|---|---|
| .. | ||
| benchmarks | ||
| cctest | ||
| common | ||
| debugger | ||
| fuzzer | ||
| inspector | ||
| intl | ||
| js-perf-test | ||
| memory | ||
| message | ||
| mjsunit | ||
| mkgrokdump | ||
| mozilla | ||
| preparser | ||
| promises-aplus | ||
| test262 | ||
| unittests | ||
| wasm-spec-tests | ||
| webkit | ||
| bot_default.gyp | ||
| bot_default.isolate | ||
| BUILD.gn | ||
| default.gyp | ||
| default.isolate | ||
| optimize_for_size.gyp | ||
| optimize_for_size.isolate | ||
| perf.gyp | ||
| perf.isolate | ||