• bmeurer's avatar
    [objects] Relax JSBoundFunction verification. · a9b9c7ab
    bmeurer authored
    The heap verifier does certain invariant checks on JSBoundFunction
    objects, i.e. it assumes that the bound_target_function is a proper
    JSReceiver. The Deoptimizer cannot maintain this invariant, because it
    first allocates the JSBoundFunction in an invalid state and only
    afterwards fix up the state. But the GC (and thus the heap verifier)
    can observe this invalid state why materializing field values, so
    we need to relax the verification slightly.
    
    BUG=chromium:729573,chromium:732176
    R=mstarzinger@chromium.org
    
    Review-Url: https://codereview.chromium.org/2933283002
    Cr-Commit-Position: refs/heads/master@{#45988}
    a9b9c7ab
objects-inl.h 198 KB