- 01 Sep, 2017 1 commit
-
-
Jakob Gruber authored
Prior to this, AllocateJSArray would go ahead and allocate an empty FixedArray as elements if passed any capacity that is not a compile-time constant 0. Things break later on since we rely on the fact that empty fixed arrays are always canonicalize, and we use obj.elements == empty_fixed_array_constant interchangeably with obj.elements.length == 0. This CL introduces two new branches in AllocateJSArray: one if the capacity is known to be non-zero; and another that explicitly distinguishes between 0 and non-zero capacities. Bug: chromium:760790 Change-Id: I7c22b19ce9ce15a46f91b0f75e6b4a1ff3a29a0f Reviewed-on: https://chromium-review.googlesource.com/645959 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#47776}
-
- 25 Jan, 2017 1 commit
-
-
petermarshall authored
We did not smi-check the spread argument here, meaning we tried to take the map of a smi, resulting in segfaults which clusterfuzz found. Also added tests that exercise this path. BUG=685086 Review-Url: https://codereview.chromium.org/2655013002 Cr-Commit-Position: refs/heads/master@{#42657}
-
- 16 Jan, 2017 1 commit
-
-
yangguo authored
TBR=tebbi@chromium.org BUG=chromium:679841 Review-Url: https://codereview.chromium.org/2631163002 Cr-Commit-Position: refs/heads/master@{#42375}
-
- 12 Jan, 2017 1 commit
-
-
marja authored
The bug was caused by AstTraversalVisitor refactoring: https://codereview.chromium.org/2169833002/ InitializerRewriter::VisitRewritableExpression in parser.cc didn't recurse; so it fails when a rewritable expression contains another rewritable expression. See the bug for more details. BUG=chromium:679727 Review-Url: https://codereview.chromium.org/2629623002 Cr-Commit-Position: refs/heads/master@{#42274}
-
- 04 Jan, 2017 1 commit
-
-
tebbi authored
R=bmeurer@chromium.org BUG=chromium:677757 Review-Url: https://codereview.chromium.org/2606383005 Cr-Commit-Position: refs/heads/master@{#42066}
-