Fix heap verifier for partially constructed arrays when allocation folding is off.

BUG=
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/23934008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/objects-debug.cc

@@ -330,10 +330,11 @@ void JSObject::JSObjectVerify() {
     }
   }
 
-  // TODO(hpayer): deal gracefully with partially constructed JSObjects, when
-  // allocation folding is turned off.
-  if (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map()) {
+  // If a GC was caused while constructing this object, the elements
+  // pointer may point to a one pointer filler map.
+  if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
+      (reinterpret_cast<Map*>(elements()) !=
+      GetHeap()->one_pointer_filler_map())) {
     CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
               (elements() == GetHeap()->empty_fixed_array())),
              (elements()->map() == GetHeap()->fixed_array_map() ||
@@ -683,10 +684,11 @@ void Code::VerifyEmbeddedMapsDependency() {
 void JSArray::JSArrayVerify() {
   JSObjectVerify();
   CHECK(length()->IsNumber() || length()->IsUndefined());
-  // TODO(hpayer): deal gracefully with partially constructed JSObjects, when
-  // allocation folding is turned off.
-  if (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map()) {
+  // If a GC was caused while constructing this array, the elements
+  // pointer may point to a one pointer filler map.
+  if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
+      (reinterpret_cast<Map*>(elements()) !=
+      GetHeap()->one_pointer_filler_map())) {
     CHECK(elements()->IsUndefined() ||
           elements()->IsFixedArray() ||
           elements()->IsFixedDoubleArray());