commit 397e23cb4f6fae2f4b020b914ce08c8b150c12e2
author antonm@chromium.org <antonm@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00> Wed Apr 21 12:00:05 2010 +0000
committer antonm@chromium.org <antonm@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00> Wed Apr 21 12:00:05 2010 +0000
tree 24f5d3076ee0c8593f3a52146c8176bce379c02e
parent c9c80823e038328f2e1060d7feef0762a50adf06

Bring r4460 to trunk.

This fixes an overwrite past the end of cache.

Review URL: http://codereview.chromium.org/1689004

git-svn-id: http://v8.googlecode.com/svn/trunk@4461 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/runtime.cc

diff --git a/src/runtime.cc b/src/runtime.cc
index 5e43129..ab77018 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10101,8 +10101,10 @@
     cache->set(JSFunctionResultCache::kCacheSizeIndex, Smi::FromInt(size + 2));
     return CacheMiss(cache, size, key);
   } else {
-    int target_index = (finger_index < cache->length()) ?
-        finger_index + 2 : JSFunctionResultCache::kEntriesIndex;
+    int target_index = finger_index + JSFunctionResultCache::kEntrySize;
+    if (target_index == cache->length()) {
+      target_index = JSFunctionResultCache::kEntriesIndex;
+    }
     return CacheMiss(cache, target_index, key);
   }
 }