[objects] Fix flag in {Map::AddMissingTransitions}.

This fixes the computation of the {may_have_interesting_symbols} flag for the last map computed in {Map::AddMissingTransitions} method. The last map is allocated ahead of time, but the flag is only correct once the descriptors are actually installed in the end. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-786020 BUG=chromium:786020 Change-Id: Iff97780609fe596437eb6bea85606a1c3bb2ac4c Reviewed-on: https://chromium-review.googlesource.com/789839Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#49631}

[objects] Fix flag in {Map::AddMissingTransitions}.
This fixes the computation of the {may_have_interesting_symbols} flag for the last map computed in {Map::AddMissingTransitions} method. The last map is allocated ahead of time, but the flag is only correct once the descriptors are actually installed in the end. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-786020 BUG=chromium:786020 Change-Id: Iff97780609fe596437eb6bea85606a1c3bb2ac4c Reviewed-on: https://chromium-review.googlesource.com/789839Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#49631}
4ad9430c · Michael Starzinger · Commit Bot · 9af72045 · 4ad9430c · 4ad9430c
Commit 4ad9430c authored Nov 27, 2017 by Michael Starzinger Committed by Commit Bot Nov 27, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

objects.cc src/objects.cc +5 -0

regress-crbug-786020.js test/mjsunit/regress/regress-crbug-786020.js +8 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -9382,9 +9382,13 @@ Handle<Map> Map::AddMissingTransitions(
  // Number of unused properties is temporarily incorrect and the layout
  // descriptor could unnecessarily be in slow mode but we will fix after
  // all the other intermediate maps are created.
+  // Also the last map might have interesting symbols, we temporarily set
+  // the flag and clear it right before the descriptors are installed. This
+  // makes heap verification happy and ensures the flag ends up accurate.
  Handle<Map> last_map = CopyDropDescriptors(split_map);
  last_map->InitializeDescriptors(*descriptors, *full_layout_descriptor);
  last_map->SetInObjectUnusedPropertyFields(0);
+  last_map->set_may_have_interesting_symbols(true);

  // During creation of intermediate maps we violate descriptors sharing
  // invariant since the last map is not yet connected to the transition tree
@@ -9398,6 +9402,7 @@ Handle<Map> Map::AddMissingTransitions(
    map = new_map;
  }
  map->NotifyLeafMapLayoutChange();
+  last_map->set_may_have_interesting_symbols(false);
  InstallDescriptors(map, last_map, nof_descriptors - 1, descriptors,
                     full_layout_descriptor);
  return last_map;

--- a/test/mjsunit/regress/regress-crbug-786020.js
+++ b/test/mjsunit/regress/regress-crbug-786020.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+%SetAllocationTimeout(1000, 90);
+(new constructor)[0x40000000] = null;