• verwaest@chromium.org's avatar
    Fix CNLT regression. · 55e924c5
    verwaest@chromium.org authored
    This happens when a map A with no descriptors in fast_holey_elements
    mode first gets some properties, making it share descriptor arrays with
    a map B to which it transitions. Then map A transitions elements kind to
    dictionary_elements in map C. C stores the empty_descriptor_array in its
    own transition array. When adding a property to C, C transitions to D
    and shares the descriptors. If D dies, a CNLT clears the transition
    array of C, making the descriptor array of A (and thus also of B) shine
    through. If a property is now added to an object in state C, it'll inherit
    all the properties of A (and B). If those properties had high field indices,
    we do not have a large enough backing store for the single newly added
    property, and we'll write out of bounds.
    
    BUG=chromium:151749
    
    Review URL: https://chromiumcodereview.appspot.com/11017054
    
    git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
    55e924c5
regress-cnlt-elements.js 1.82 KB