AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
8e0b2d1f70
v8/test/mjsunit/es9
History
Caitlin Potter 3729410578 [cloneobjectic] initialize property array before filling it 
This avoids leaving the heap in an invalid state if a GC occurs during
population of the cloned property array, as is done in other IC
builtins.

BUG=chromium:904167, v8:7611
R=jkummerow@chromium.org, ishell@chromium.org

Change-Id: I0350ed2d65b72e299f7109b7d5aa86331f60e940
Reviewed-on: https://chromium-review.googlesource.com/c/1350282
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57879}
2018-11-27 17:24:21 +00:00
..
regress [cloneobjectic] initialize property array before filling it 2018-11-27 17:24:21 +00:00
object-rest-basic.js [esnext] Remove --harmony-object-rest-spread flag 2017-10-25 19:47:29 +00:00
object-spread-basic.js [esnext] Remove --harmony-object-rest-spread flag 2017-10-25 19:47:29 +00:00
object-spread-ic-dontenum-transition.js [CloneObjectIC] add CSA implementation of slow case 2018-09-11 20:43:53 +00:00
object-spread-ic-multiple-transitions.js [CloneObjectIC] add CSA implementation of slow case 2018-09-11 20:43:53 +00:00
object-spread-ic.js [CloneObjectIC] clone MutableHeapNumbers instead of referencing them 2018-11-07 03:15:45 +00:00
regexp-lookbehind.js [regexp] make lookbehind assertions non-quantifiable. 2018-02-20 11:24:32 +00:00
template-escapes.js Remove always-on --harmony-template-escapes flag 2017-11-28 18:36:41 +00:00