Reviewers: Rico, Description: Fix property array length calculation in TransformPropertiesToFastFor.
It was silently assumed that inobject_properties value is not too large. Recent introduction of inobject slack tracking made the assumption false and debug tests with no snapshot failed. Please review this at http://codereview.chromium.org/3584004/show SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/ Affected files: M src/objects.cc Index: src/objects.cc =================================================================== --- src/objects.cc (revision 5571) +++ src/objects.cc (working copy) @@ -8719,6 +8719,11 @@ int inobject_props = obj->map()->inobject_properties(); int number_of_allocated_fields = number_of_fields + unused_property_fields - inobject_props; + if (number_of_allocated_fields < 0) { + // There is enough inobject space for all fields (including unused). + number_of_allocated_fields = 0; + unused_property_fields = inobject_props - number_of_fields; + } // Allocate the fixed array for the fields. Object* fields = Heap::AllocateFixedArray(number_of_allocated_fields); -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev
