[runtime] Fix assert in EnsureInitialMap()

Bug: chromium:1132640 Change-Id: I40e8aecc98d9fc20bbe1df6e31be127af8710723 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2436334Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#70222}

[runtime] Fix assert in EnsureInitialMap()
Bug: chromium:1132640 Change-Id: I40e8aecc98d9fc20bbe1df6e31be127af8710723 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2436334Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#70222}
60de9d5a · Igor Sheludko · Commit Bot · c11a054e · 60de9d5a
Commit 60de9d5a authored Sep 29, 2020 by Igor Sheludko Committed by Commit Bot Sep 30, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 10 deletions

map.cc src/objects/map.cc +8 -10

No files found.
--- a/src/objects/map.cc
+++ b/src/objects/map.cc
@@ -1586,18 +1586,20 @@ Handle<Map> Map::TransitionToImmutableProto(Isolate* isolate, Handle<Map> map) {
 namespace {
 void EnsureInitialMap(Isolate* isolate, Handle<Map> map) {
 #ifdef DEBUG
-  // Strict function maps have Function as a constructor but the
-  // Function's initial map is a sloppy function map. Same holds for
-  // GeneratorFunction / AsyncFunction and its initial map.
-  Object constructor = map->GetConstructor();
-  DCHECK(constructor.IsJSFunction());
-  DCHECK(*map == JSFunction::cast(constructor).initial_map() ||
+  Object maybe_constructor = map->GetConstructor();
+  DCHECK((maybe_constructor.IsJSFunction() &&
+          *map == JSFunction::cast(maybe_constructor).initial_map()) ||
+         // Below are the exceptions to the check above.
+         // Strict function maps have Function as a constructor but the
+         // Function's initial map is a sloppy function map.
         *map == *isolate->strict_function_map() ||
         *map == *isolate->strict_function_with_name_map() ||
+         // Same holds for GeneratorFunction and its initial map.
         *map == *isolate->generator_function_map() ||
         *map == *isolate->generator_function_with_name_map() ||
         *map == *isolate->generator_function_with_home_object_map() ||
         *map == *isolate->generator_function_with_name_and_home_object_map() ||
+         // AsyncFunction has Null as a constructor.
         *map == *isolate->async_function_map() ||
         *map == *isolate->async_function_with_name_map() ||
         *map == *isolate->async_function_with_home_object_map() ||
@@ -1622,10 +1624,6 @@ Handle<Map> Map::CopyInitialMap(Isolate* isolate, Handle<Map> map,
                                int instance_size, int inobject_properties,
                                int unused_property_fields) {
  EnsureInitialMap(isolate, map);
-  // Initial map must not contain descriptors in the descriptors array
-  // that do not belong to the map.
-  DCHECK_EQ(map->NumberOfOwnDescriptors(),
-            map->instance_descriptors().number_of_descriptors());

  Handle<Map> result =
      RawCopy(isolate, map, instance_size, inobject_properties);