Don't use the same descriptor array in several maps.

Make a copy of the descriptor array when copying a map with pre-allocated properties. The garbage collector assumes that no two maps point to the same descriptor array. A simple reduction is missing. BUG=http://crbug.com/20330 TEST=none Review URL: http://codereview.chromium.org/177018 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2780 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Don't use the same descriptor array in several maps.
Make a copy of the descriptor array when copying a map with pre-allocated properties. The garbage collector assumes that no two maps point to the same descriptor array. A simple reduction is missing. BUG=http://crbug.com/20330 TEST=none Review URL: http://codereview.chromium.org/177018 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@2780 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
5ce6842d · sgjesse@chromium.org · b01a7395 · 5ce6842d
Commit 5ce6842d authored Aug 28, 2009 by sgjesse@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

objects.cc src/objects.cc +4 -1

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2929,8 +2929,11 @@ Object* Map::CopyDropDescriptors() {
  if (pre_allocated_property_fields() > 0) {
    ASSERT(constructor()->IsJSFunction());
    JSFunction* ctor = JSFunction::cast(constructor());
+    Object* descriptors =
+        ctor->initial_map()->instance_descriptors()->RemoveTransitions();
+    if (descriptors->IsFailure()) return descriptors;
    Map::cast(result)->set_instance_descriptors(
-        ctor->initial_map()->instance_descriptors());
+        DescriptorArray::cast(descriptors));
    Map::cast(result)->set_pre_allocated_property_fields(
        pre_allocated_property_fields());
  }