Reviewers: danno,
Description:
CopyPackedSmiToDoubleElements should fill the FixedDoubleArray with holes
BUG=v8:2433
Please review this at https://codereview.chromium.org/11280223/
SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/elements.cc
A + test/mjsunit/regress/regress-2433.js
Index: src/elements.cc
diff --git a/src/elements.cc b/src/elements.cc
index
ae5c7de04ac55712be64baf6e69be7b546934b29..3e9624259f4d6bc5919d5157d83b041c743c031c
100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -374,7 +374,7 @@ static void CopyPackedSmiToDoubleElements(FixedArray*
from,
if (raw_copy_size < 0) {
ASSERT(raw_copy_size == ElementsAccessor::kCopyToEnd ||
raw_copy_size ==
ElementsAccessor::kCopyToEndAndInitializeToHole);
- copy_size = from->length() - from_start;
+ copy_size = packed_size - from_start;
if (raw_copy_size == ElementsAccessor::kCopyToEndAndInitializeToHole) {
to_end = to->length();
for (uint32_t i = to_start + copy_size; i < to_end; ++i) {
Index: test/mjsunit/regress/regress-2433.js
diff --git a/test/mjsunit/regress/regress-observe-empty-double-array.js
b/test/mjsunit/regress/regress-2433.js
similarity index 87%
copy from test/mjsunit/regress/regress-observe-empty-double-array.js
copy to test/mjsunit/regress/regress-2433.js
index
aea9c73b2291010870a01d496f2a299f6b40dcb2..dfe7131b59a49e5a0c936065c4e59d6565e9b2ee
100644
--- a/test/mjsunit/regress/regress-observe-empty-double-array.js
+++ b/test/mjsunit/regress/regress-2433.js
@@ -25,13 +25,12 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --harmony-observation --allow-natives-syntax
+// Transitioning from a PackedSmi to PackedDouble should fill the
destination
+// with holes.
//
-// Test passes if it does not crash.
+// See http://code.google.com/p/v8/issues/detail?id=2433 for details.
-arr = [1.1];
-Object.observe(arr, function(){});
-arr.length = 0;
-assertTrue(%HasFastDoubleElements(arr));
-// Should not crash
-arr.push(1.1);
+arr = [];
+arr[0] = 0;
+arr[0] = 1.1;
+assertEquals(undefined, arr[1]);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
