JSArrayVerify() benefits from an extra check

We already have an implication check that if the ElementsKind is double, then the elements backing store should be a FixedDoubleArray. Additionally check that if the ElementsKind is object or smi, that the backing store is a FixedArray. R=neis@chromium.org Bug: v8:8662 Change-Id: Ib01079251fe7e1f1c076d4814ef5d306bb179ef0 Reviewed-on: https://chromium-review.googlesource.com/c/1434234Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#59072}

JSArrayVerify() benefits from an extra check
We already have an implication check that if the ElementsKind is double, then the elements backing store should be a FixedDoubleArray. Additionally check that if the ElementsKind is object or smi, that the backing store is a FixedArray. R=neis@chromium.org Bug: v8:8662 Change-Id: Ib01079251fe7e1f1c076d4814ef5d306bb179ef0 Reviewed-on: https://chromium-review.googlesource.com/c/1434234Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#59072}
52bcce83 · Mike Stanton · Commit Bot · 887d5a9a · 52bcce83
Commit 52bcce83 authored Jan 24, 2019 by Mike Stanton Committed by Commit Bot Jan 24, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

objects-debug.cc src/objects-debug.cc +1 -0

No files found.
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -1236,6 +1236,7 @@ void JSArray::JSArrayVerify(Isolate* isolate) {
  if (length()->IsSmi() && HasFastElements()) {
    if (elements()->length() > 0) {
      CHECK_IMPLIES(HasDoubleElements(), elements()->IsFixedDoubleArray());
+      CHECK_IMPLIES(HasSmiOrObjectElements(), elements()->IsFixedArray());
    }
    int size = Smi::ToInt(length());
    // Holey / Packed backing stores might have slack or might have not been