-
verwaest@chromium.org authored
This happens when a map A with no descriptors in fast_holey_elements mode first gets some properties, making it share descriptor arrays with a map B to which it transitions. Then map A transitions elements kind to dictionary_elements in map C. C stores the empty_descriptor_array in its own transition array. When adding a property to C, C transitions to D and shares the descriptors. If D dies, a CNLT clears the transition array of C, making the descriptor array of A (and thus also of B) shine through. If a property is now added to an object in state C, it'll inherit all the properties of A (and B). If those properties had high field indices, we do not have a large enough backing store for the single newly added property, and we'll write out of bounds. BUG=chromium:151749 Review URL: https://chromiumcodereview.appspot.com/11017054 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
55e924c5
| Name |
Last commit
|
Last update |
|---|---|---|
| benchmarks | ||
| build | ||
| include | ||
| preparser | ||
| samples | ||
| src | ||
| test | ||
| tools | ||
| .gitignore | ||
| AUTHORS | ||
| ChangeLog | ||
| DEPS | ||
| LICENSE | ||
| LICENSE.strongtalk | ||
| LICENSE.v8 | ||
| LICENSE.valgrind | ||
| Makefile | ||
| Makefile.android | ||
| OWNERS | ||
| PRESUBMIT.py | ||
| SConstruct |