[runtime] Copy descriptors on prototype map transition.

Currently the descriptors are moved from the old map to the new map, which is unsafe for the concurrent marker. This patch removes the map mutation. Change-Id: I3f7ce455c7344148a122c7443cf32a4eef0307be Reviewed-on: https://chromium-review.googlesource.com/535480 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#46131}

[runtime] Copy descriptors on prototype map transition.
Currently the descriptors are moved from the old map to the new map, which is unsafe for the concurrent marker. This patch removes the map mutation. Change-Id: I3f7ce455c7344148a122c7443cf32a4eef0307be Reviewed-on: https://chromium-review.googlesource.com/535480 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#46131}
5d8840e2 · Ulan Degenbaev · Commit Bot · 79ec0672 · 5d8840e2
Commit 5d8840e2 authored Jun 21, 2017 by Ulan Degenbaev Committed by Commit Bot Jun 22, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 21 deletions

objects.cc src/objects.cc +9 -21

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3825,17 +3825,10 @@ void JSObject::MigrateToMap(Handle<JSObject> object, Handle<Map> new_map,
  } else if (!new_map->is_dictionary_map()) {
    MigrateFastToFast(object, new_map);
    if (old_map->is_prototype_map()) {
-      DCHECK(!old_map->is_stable());
-      DCHECK(new_map->is_stable());
-      // Clear out the old descriptor array to avoid problems to sharing
-      // the descriptor array without using an explicit.
-      old_map->InitializeDescriptors(
-          old_map->GetHeap()->empty_descriptor_array(),
-          LayoutDescriptor::FastPointerLayout());
-      // Ensure that no transition was inserted for prototype migrations.
-      DCHECK_EQ(
-          0, TransitionArray::NumberOfTransitions(old_map->raw_transitions()));
-      DCHECK(new_map->GetBackPointer()->IsUndefined(new_map->GetIsolate()));
+      DCHECK_IMPLIES(
+          old_map->instance_descriptors() !=
+              old_map->GetHeap()->empty_descriptor_array(),
+          old_map->instance_descriptors() != new_map->instance_descriptors());
    }
  } else {
    MigrateFastToSlow(object, new_map, expected_additional_properties);
@@ -8722,17 +8715,11 @@ void Map::ConnectTransition(Handle<Map> parent, Handle<Map> child,
    DCHECK_EQ(parent->NumberOfOwnDescriptors(),
              parent->instance_descriptors()->number_of_descriptors());
  }
-  if (parent->is_prototype_map()) {
-    DCHECK(child->is_prototype_map());
+  DCHECK(!parent->is_prototype_map());
+  TransitionArray::Insert(parent, name, child, flag);
 #if V8_TRACE_MAPS
-    Map::TraceTransition("NoTransition", *parent, *child, *name);
+  Map::TraceTransition("Transition", *parent, *child, *name);
 #endif
-  } else {
-    TransitionArray::Insert(parent, name, child, flag);
-#if V8_TRACE_MAPS
-    Map::TraceTransition("Transition", *parent, *child, *name);
-#endif
-  }
 }


@@ -9317,7 +9304,8 @@ Handle<Map> Map::CopyAddDescriptor(Handle<Map> map,
  // Share descriptors only if map owns descriptors and it not an initial map.
  if (flag == INSERT_TRANSITION && map->owns_descriptors() &&
      !map->GetBackPointer()->IsUndefined(map->GetIsolate()) &&
-      TransitionArray::CanHaveMoreTransitions(map)) {
+      TransitionArray::CanHaveMoreTransitions(map) &&
+      !map->is_prototype_map()) {
    return ShareDescriptor(map, descriptors, descriptor);
  }