v8/test at b1ffc7901f6df183dfff995bfc1855df6c62f8ad - v8

History

mvstanton@chromium.org b1ffc7901f A JSArray may have a filler map in the elements pointer. We already have code that expects this, but incorrectly asserted that the filler map case would never happen when allocation folding is turned on. However, even folding has it's limits, bailing out of continued folding when the object size grows too large. Therefore, it's a general problem when verifying JSArray objects, that we might encounter a filler map in elements(). Discovered by ClusterFuzz crbug 347903. R=hpayer@chromium.org LOG=N BUG=347903 Review URL: https://codereview.chromium.org/184493002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00		2014-02-28 12:29:19 +00:00
..
benchmarks	Merge experimental/a64 to bleeding_edge.	2014-02-12 09:19:30 +00:00
cctest	A64: fix cctest/test-assembler-a64	2014-02-28 10:31:05 +00:00
intl	Merge experimental/a64 to bleeding_edge.	2014-02-12 09:19:30 +00:00
message	Clean up some A64 specific code in common code that was introduced by A64 merge	2014-02-12 13:27:13 +00:00
mjsunit	A JSArray may have a filler map in the elements pointer.	2014-02-28 12:29:19 +00:00
mozilla	A64: Let the MacroAssembler resolve branches to distant targets.	2014-02-18 13:15:32 +00:00
preparser	Merge experimental/a64 to bleeding_edge.	2014-02-12 09:19:30 +00:00
test262	Merge experimental/a64 to bleeding_edge.	2014-02-12 09:19:30 +00:00
webkit	Merge experimental/a64 to bleeding_edge.	2014-02-12 09:19:30 +00:00