c1e19bfc35
properly when it is called with a function pointer in the type cell, instead assuming that an AllocationSite object should be present. The case where this can happen is if the cell is uninitialized, then the first constructor call made is to the Array function of a different context. In that case, we'll store the function pointer in the cell, and then go ahead and call the array constructor stub too. The bug is fixed by checking for the AllocationSite object map. If not found, the constructor stub goes forward with a default ElementsKind, just as in several other cases. A test in allocation-site-info.js was beefed up to make sure the state chain described above is traversed. BUG= R=hpayer@chromium.org, hpayer@google.com Review URL: https://codereview.chromium.org/18277006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15555 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 |
||
|---|---|---|
| .. | ||
| cctest | ||
| message | ||
| mjsunit | ||
| mozilla | ||
| preparser | ||
| test262 | ||
| webkit | ||