| Index: src/hydrogen.cc
|
| diff --git a/src/hydrogen.cc b/src/hydrogen.cc
|
| index 3d0d5505aea05800177fdce62d85f9cafe7dcaef..e86d216120284823466b697d5a4a27715f3477d2 100644
|
| --- a/src/hydrogen.cc
|
| +++ b/src/hydrogen.cc
|
| @@ -8919,9 +8919,11 @@ void HOptimizedGraphBuilder::VisitCallNew(CallNew* expr) {
|
| } else {
|
| // The constructor function is both an operand to the instruction and an
|
| // argument to the construct call.
|
| + Handle<JSFunction> array_function =
|
| + Handle<JSFunction>(isolate()->global_context()->array_function(),
|
| + isolate());
|
| bool use_call_new_array = FLAG_optimize_constructed_arrays &&
|
| - !(expr->target().is_null()) &&
|
| - *(expr->target()) == isolate()->global_context()->array_function();
|
| + expr->target().is_identical_to(array_function);
|
|
|
| CHECK_ALIVE(VisitArgument(expr->expression()));
|
| HValue* constructor = HPushArgument::cast(Top())->argument();
|
| @@ -8929,6 +8931,7 @@ void HOptimizedGraphBuilder::VisitCallNew(CallNew* expr) {
|
| HCallNew* call;
|
| if (use_call_new_array) {
|
| Handle<Cell> cell = expr->allocation_info_cell();
|
| + AddInstruction(new(zone()) HCheckFunction(constructor, array_function));
|
| call = new(zone()) HCallNewArray(context, constructor, argument_count,
|
| cell);
|
| } else {
|
|
|
Chromium Code Reviews
Issue 16944006:
HCheckFunction is needed to protect new array constructors in (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge