Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1143)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 43383004: The Elements pointer in a JSObject can have a filler map instead of a (Closed)

Created:
7 years, 1 month ago by mvstanton
Modified:
7 years, 1 month ago
CC:
v8-dev
Visibility:
Public.

Description

The Elements pointer in a JSObject can have a filler map instead of a valid fixed array, iff a gc occurred while allocating a fixed array as part of array construction. Heap verification needs protection against examining the elements object in this case. R=svenpanne@chromium.org Committed: https://code.google.com/p/v8/source/detail?r=17397

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+31 lines, -21 lines) Patch
M src/objects.h View 1 chunk +5 lines, -0 lines 0 comments Download
M src/objects-debug.cc View 3 chunks +9 lines, -6 lines 0 comments Download
M src/objects-inl.h View 1 chunk +17 lines, -12 lines 0 comments Download
M test/mjsunit/mjsunit.status View 1 chunk +0 lines, -3 lines 0 comments Download

Messages

Total messages: 5 (0 generated)
mvstanton
PTAL, thx! --Michael
7 years, 1 month ago (2013-10-25 12:01:49 UTC) #1
Sven Panne
lgtm
7 years, 1 month ago (2013-10-25 12:13:40 UTC) #2
mvstanton
Committed patchset #1 manually as r17397 (presubmit successful).
7 years, 1 month ago (2013-10-25 12:26:55 UTC) #3
Jakob Kummerow
This CL causes compile failures when heap verification support is enabled in Release mode, see ...
7 years, 1 month ago (2013-10-28 21:31:00 UTC) #4
mvstanton
7 years, 1 month ago (2013-10-29 08:27:28 UTC) #5
Message was sent while issue was closed. 
Oops, fixed here: https://codereview.chromium.org/48963006/

Powered by Google App Engine
This is Rietveld 408576698