[heap] Explicitly clear slot in MigrateFastToFast

Since invalidation is disabled at the moment, slots still need to be cleared explicitly. This was not the case in MigrateFastToFast in case a slot transitioned from tagged to untagged. Bug: chromium:1006630 Change-Id: I8d32ab9196603dabad9a382ec49b39144624c30d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815248Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#63929}

[heap] Explicitly clear slot in MigrateFastToFast
Since invalidation is disabled at the moment, slots still need to be cleared explicitly. This was not the case in MigrateFastToFast in case a slot transitioned from tagged to untagged. Bug: chromium:1006630 Change-Id: I8d32ab9196603dabad9a382ec49b39144624c30d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815248Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#63929}
95b8b10b · Dominik Inführ · Commit Bot · 39ecc997 · 95b8b10b
Commit 95b8b10b authored Sep 23, 2019 by Dominik Inführ Committed by Commit Bot Sep 23, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

js-objects.cc src/objects/js-objects.cc +1 -0

No files found.
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -2795,6 +2795,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
          index, HeapNumber::cast(value).value_as_bits());
      if (i < old_number_of_fields && !old_map->IsUnboxedDoubleField(index)) {
        // Transition from tagged to untagged slot.
+        heap->ClearRecordedSlot(*object, object->RawField(index.offset()));
        MemoryChunk* chunk = MemoryChunk::FromHeapObject(*object);
        chunk->InvalidateRecordedSlots(*object);
      } else {