AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
87792715c9
v8/test/mjsunit/es9/regress
History
Caitlin Potter 3729410578 [cloneobjectic] initialize property array before filling it 
This avoids leaving the heap in an invalid state if a GC occurs during
population of the cloned property array, as is done in other IC
builtins.

BUG=chromium:904167, v8:7611
R=jkummerow@chromium.org, ishell@chromium.org

Change-Id: I0350ed2d65b72e299f7109b7d5aa86331f60e940
Reviewed-on: https://chromium-review.googlesource.com/c/1350282
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57879}
2018-11-27 17:24:21 +00:00
..
regress-866229.js [CloneObjectIC] copy may_have_interesting_symbols bit to fast result map 2018-08-04 16:48:18 +00:00
regress-866282.js [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject 2018-07-25 21:23:05 +00:00
regress-866357.js [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject 2018-07-25 21:23:05 +00:00
regress-866727.js [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject 2018-07-25 21:23:05 +00:00
regress-866861.js [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject 2018-07-25 21:23:05 +00:00
regress-867958.js Reland "Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated" 2018-08-01 00:30:11 +00:00
regress-869342.js Reland "Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated" 2018-08-01 00:30:11 +00:00
regress-902965.js [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields 2018-11-08 19:14:11 +00:00
regress-903070.js [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields 2018-11-08 19:14:11 +00:00
regress-904167.js [cloneobjectic] initialize property array before filling it 2018-11-27 17:24:21 +00:00