Status: New
Owner: ----
New issue 822 by dannycoates: Clusterizer::CalculateNetworkSize may fail
cast assertion
http://code.google.com/p/v8/issues/detail?id=822
According JSObject::elements(), array can be a fixed, pixel, or external
array, but is cast to FixedArray in Clusterizer::CalculateNetworkSize. It
may fail the cast assertion on debug builds.
in objects-inl.h around line 1159
HeapObject* JSObject::elements() {
Object* array = READ_FIELD(this, kElementsOffset);
// In the assert below Dictionary is covered under FixedArray.
ASSERT(array->IsFixedArray() || array->IsPixelArray() ||
array->IsExternalArray());
return reinterpret_cast<HeapObject*>(array);
}
in heap-profiler.cc around line 117
if (FixedArray::cast(obj->elements())->length() != 0) {
size += obj->elements()->Size();
}
in objects-inl.h around line 63
#define CAST_ACCESSOR(type) \
type* type::cast(Object* object) { \
ASSERT(object->Is##type()); \
return reinterpret_cast<type*>(object); \
}
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
