Map::ReconfigureProperty() should mark map as unstable when there is an...

Map::ReconfigureProperty() should mark map as unstable when there is an element kind transition somewhere in the middle of the transition tree. BUG=chromium:485548 LOG=N Review URL: https://codereview.chromium.org/1128043005 Cr-Commit-Position: refs/heads/master@{#28418}

Map::ReconfigureProperty() should mark map as unstable when there is an...
Map::ReconfigureProperty() should mark map as unstable when there is an element kind transition somewhere in the middle of the transition tree. BUG=chromium:485548 LOG=N Review URL: https://codereview.chromium.org/1128043005 Cr-Commit-Position: refs/heads/master@{#28418}
3c1487db · ishell · Commit bot · 7f6ae230 · 3c1487db · 3c1487db
Commit 3c1487db authored May 15, 2015 by ishell Committed by Commit bot May 15, 2015
Showing with 75 additions and 1 deletion

objects.cc src/objects.cc +9 -1

regress-crbug-485548-1.js test/mjsunit/regress/regress-crbug-485548-1.js +33 -0

regress-crbug-485548-2.js test/mjsunit/regress/regress-crbug-485548-2.js +33 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1419,7 +1419,8 @@ void HeapObject::HeapObjectShortPrint(std::ostream& os) {  // NOLINT
  }
  switch (map()->instance_type()) {
    case MAP_TYPE:
-      os << "<Map(elements=" << Map::cast(this)->elements_kind() << ")>";
+      os << "<Map(" << ElementsKindToString(Map::cast(this)->elements_kind())
+         << ")>";
      break;
    case FIXED_ARRAY_TYPE:
      os << "<FixedArray[" << FixedArray::cast(this)->length() << "]>";
@@ -2971,6 +2972,13 @@ Handle<Map> Map::ReconfigureProperty(Handle<Map> old_map, int modify_index,
      split_kind, old_descriptors->GetKey(split_nof), split_attributes,
      *new_descriptors, *new_layout_descriptor);

+  if (from_kind != to_kind) {
+    // There was an elements kind change in the middle of transition tree and
+    // we reconstructed the tree so that all elements kind transitions are
+    // done at the beginning, therefore the |old_map| is no longer stable.
+    old_map->NotifyLeafMapLayoutChange();
+  }
+
  // If |transition_target_deprecated| is true then the transition array
  // already contains entry for given descriptor. This means that the transition
  // could be inserted regardless of whether transitions array is full or not.

--- a/test/mjsunit/regress/regress-crbug-485548-1.js
+++ b/test/mjsunit/regress/regress-crbug-485548-1.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+var inner = new Array();
+inner.a = {x:1};
+inner[0] = 1.5;
+inner.b = {x:2};
+assertTrue(%HasFastDoubleElements(inner));
+
+function foo(o) {
+  return o.field.a.x;
+}
+
+var outer = {};
+outer.field = inner;
+foo(outer);
+foo(outer);
+foo(outer);
+%OptimizeFunctionOnNextCall(foo);
+foo(outer);
+
+// Generalize representation of field "a" of inner object.
+var v = { get x() { return 0x7fffffff; } };
+inner.a = v;
+
+gc();
+
+var boom = foo(outer);
+print(boom);
+assertEquals(0x7fffffff, boom);
--- a/test/mjsunit/regress/regress-crbug-485548-2.js
+++ b/test/mjsunit/regress/regress-crbug-485548-2.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+var inner = new Array();
+inner.a = {x:1};
+inner[0] = 1.5;
+inner.b = {x:2};
+assertTrue(%HasFastDoubleElements(inner));
+
+function foo(o) {
+  return o.field.b.x;
+}
+
+var outer = {};
+outer.field = inner;
+foo(outer);
+foo(outer);
+foo(outer);
+%OptimizeFunctionOnNextCall(foo);
+foo(outer);
+
+// Generalize representation of field "b" of inner object.
+var v = { get x() { return 0x7fffffff; } };
+inner.b = v;
+
+gc();
+
+var boom = foo(outer);
+print(boom);
+assertEquals(0x7fffffff, boom);