| commit | 293283d55983b421fe6e246ae22d4de531f429ec | [log] [tgz] |
|---|---|---|
| author | Benedikt Meurer <bmeurer@chromium.org> | Wed Aug 09 12:07:50 2017 |
| committer | Commit Bot <commit-bot@chromium.org> | Thu Aug 10 03:49:12 2017 |
| tree | f28fb9033ee1e63e7584e9b5f2eaa9d873f06c1e | |
| parent | f70347492d54ad62ad7ce0cd96a1761082d5caf0 [diff] |
[builtins] Fix no elements check on the prototype chain. Invoking Object.freeze on either the Object.prototype or the Array.prototype changes its elements backing store to DICTIONARY_ELEMENTS kind, which is not properly checked in all placeswhere we test for elements in the prototype chain, i.e. in JSObject::PrototypeHasNoElements. This causes several Array builtins to take the slow path, i.e. Array.prototype.splice. Fix this for now by consistently checking for either empty_fixed_array or empty_slow_element_dictionary in both C++ and CSA runtime. Bug: v8:6689 Change-Id: I3f62643131b3a874b5c2a3d7ed054dd1e799bbaf Reviewed-on: https://chromium-review.googlesource.com/608127 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47264}
V8 is Google's open source JavaScript engine.
V8 implements ECMAScript as specified in ECMA-262.
V8 is written in C++ and is used in Google Chrome, the open source browser from Google.
V8 can run standalone, or can be embedded into any C++ application.
V8 Project page: https://github.com/v8/v8/wiki
Checkout depot tools, and run
fetch v8
This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run
git pull origin
gclient sync
For fetching all branches, add the following into your remote configuration in .git/config:
fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
fetch = +refs/tags/*:refs/tags/*
Please follow the instructions mentioned on the V8 wiki.