Fix crashes during GC caused by partially initialized objects. The
inline allocation code used the expected number of properties to calculate the number of inobject properties for an object instead of getting the actual number from the initial map. It is safer to use the inobject property count from the initial map in any case because that is the amount the instances will get. I think this disconnect got introduced when adding shrinking of objects. Unfortuntely I haven't been able to create a simple reproduction for a test case but this fixes the webpage that exhibits the crash. I'll see if I can create a reproduction tomorrow. Review URL: http://codereview.chromium.org/5278003 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5879 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Showing
Please
register
or
sign in
to comment