Fix for assertion failures appeared after StoreTransitionStub implementation.

R=yangguo@chromium.org Review URL: https://codereview.chromium.org/637553002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24438 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix for assertion failures appeared after StoreTransitionStub implementation.
R=yangguo@chromium.org Review URL: https://codereview.chromium.org/637553002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24438 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2c30ec5f · ishell@chromium.org · a17289f4 · 2c30ec5f · 2c30ec5f
Commit 2c30ec5f authored Oct 07, 2014 by ishell@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 4 deletions

code-stubs-hydrogen.cc src/code-stubs-hydrogen.cc +1 -1

objects-debug.cc src/objects-debug.cc +11 -3

No files found.
--- a/src/code-stubs-hydrogen.cc
+++ b/src/code-stubs-hydrogen.cc
@@ -800,12 +800,12 @@ HValue* CodeStubGraphBuilder<StoreTransitionStub>::BuildCodeStub() {

      BuildCopyProperties(properties, new_properties, length, new_capacity);

-      // Store the new value into the "extended" object.
      Add<HStoreNamedField>(object, HObjectAccess::ForPropertiesPointer(),
                            new_properties);
    }
    // Fall through.
    case StoreTransitionStub::StoreMapAndValue:
+      // Store the new value into the "extended" object.
      BuildStoreNamedField(
          object, GetParameter(StoreTransitionDescriptor::kValueIndex),
          casted_stub()->index(), casted_stub()->representation(), true);

--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -256,9 +256,17 @@ void JSObject::JSObjectVerify() {
  }

  if (HasFastProperties()) {
-    CHECK_EQ(map()->unused_property_fields(),
-             (map()->inobject_properties() + properties()->length() -
-              map()->NextFreePropertyIndex()));
+    int actual_unused_property_fields = map()->inobject_properties() +
+                                        properties()->length() -
+                                        map()->NextFreePropertyIndex();
+    if (map()->unused_property_fields() != actual_unused_property_fields) {
+      // This could actually happen in the middle of StoreTransitionStub
+      // when the new extended backing store is already set into the object and
+      // the allocation of the MutableHeapNumber triggers GC (in this case map
+      // is not updated yet).
+      CHECK_EQ(map()->unused_property_fields(),
+               actual_unused_property_fields - JSObject::kFieldsAdded);
+    }
    DescriptorArray* descriptors = map()->instance_descriptors();
    for (int i = 0; i < map()->NumberOfOwnDescriptors(); i++) {
      if (descriptors->GetDetails(i).type() == FIELD) {