Commit 50bf19a9 authored by yangguo@chromium.org's avatar yangguo@chromium.org

Fix corner case when transforming dictionary to fast elements.

R=verwaest@chromium.org
BUG=v8:2249
TEST=regress-2249.js

Review URL: https://chromiumcodereview.appspot.com/10802051

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12167 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent a1f0c5b1
...@@ -819,8 +819,8 @@ bool Compiler::CompileLazy(CompilationInfo* info) { ...@@ -819,8 +819,8 @@ bool Compiler::CompileLazy(CompilationInfo* info) {
void Compiler::RecompileParallel(Handle<JSFunction> closure) { void Compiler::RecompileParallel(Handle<JSFunction> closure) {
ASSERT(closure->IsMarkedForParallelRecompilation());
if (closure->IsInRecompileQueue()) return; if (closure->IsInRecompileQueue()) return;
ASSERT(closure->IsMarkedForParallelRecompilation());
Isolate* isolate = closure->GetIsolate(); Isolate* isolate = closure->GetIsolate();
if (!isolate->optimizing_compiler_thread()->IsQueueAvailable()) { if (!isolate->optimizing_compiler_thread()->IsQueueAvailable()) {
......
...@@ -12447,6 +12447,24 @@ MaybeObject* StringDictionary::TransformPropertiesToFastFor( ...@@ -12447,6 +12447,24 @@ MaybeObject* StringDictionary::TransformPropertiesToFastFor(
} }
} }
int inobject_props = obj->map()->inobject_properties();
// Allocate new map.
Map* new_map;
MaybeObject* maybe_new_map = obj->map()->CopyDropDescriptors();
if (!maybe_new_map->To(&new_map)) return maybe_new_map;
if (instance_descriptor_length == 0) {
ASSERT_LE(unused_property_fields, inobject_props);
// Transform the object.
new_map->set_unused_property_fields(unused_property_fields);
obj->set_map(new_map);
obj->set_properties(heap->empty_fixed_array());
// Check that it really works.
ASSERT(obj->HasFastProperties());
return obj;
}
// Allocate the instance descriptor. // Allocate the instance descriptor.
DescriptorArray* descriptors; DescriptorArray* descriptors;
MaybeObject* maybe_descriptors = MaybeObject* maybe_descriptors =
...@@ -12458,7 +12476,6 @@ MaybeObject* StringDictionary::TransformPropertiesToFastFor( ...@@ -12458,7 +12476,6 @@ MaybeObject* StringDictionary::TransformPropertiesToFastFor(
FixedArray::WhitenessWitness witness(descriptors); FixedArray::WhitenessWitness witness(descriptors);
int inobject_props = obj->map()->inobject_properties();
int number_of_allocated_fields = int number_of_allocated_fields =
number_of_fields + unused_property_fields - inobject_props; number_of_fields + unused_property_fields - inobject_props;
if (number_of_allocated_fields < 0) { if (number_of_allocated_fields < 0) {
...@@ -12523,13 +12540,9 @@ MaybeObject* StringDictionary::TransformPropertiesToFastFor( ...@@ -12523,13 +12540,9 @@ MaybeObject* StringDictionary::TransformPropertiesToFastFor(
ASSERT(current_offset == number_of_fields); ASSERT(current_offset == number_of_fields);
descriptors->Sort(witness); descriptors->Sort(witness);
// Allocate new map.
Map* new_map;
MaybeObject* maybe_new_map = obj->map()->CopyDropDescriptors();
if (!maybe_new_map->To(&new_map)) return maybe_new_map;
new_map->InitializeDescriptors(descriptors);
new_map->set_unused_property_fields(unused_property_fields); new_map->set_unused_property_fields(unused_property_fields);
new_map->InitializeDescriptors(descriptors);
// Transform the object. // Transform the object.
obj->set_map(new_map); obj->set_map(new_map);
......
// Copyright 2012 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --gc-interval=10 --stress-compaction
var o = {};
o[Math.pow(2,30)-1] = 0;
o[Math.pow(2,31)-1] = 0;
o[1] = 0;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment