[runtime] Don't create "class" field types for arrays' fields.

... when reconfiguring const fields to mutable fields.

Bug: chromium:747979, chromium:738763, chromium:745844
Change-Id: Ibfac1b875a1da8234966ac10658260f1cc718fe5
Reviewed-on: https://chromium-review.googlesource.com/583647Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46854}

src/map-updater.cc

@@ -123,6 +123,22 @@ Handle<Map> MapUpdater::ReconfigureToDataField(int descriptor,
     new_field_type_ = field_type;
   }
 
+  if (IsTransitionableFastElementsKind(new_elements_kind_) &&
+      Map::IsInplaceGeneralizableField(new_constness_, new_representation_,
+                                       *new_field_type_)) {
+    // We don't support propagation of field generalization through elements
+    // kind transitions because they are inserted into the transition tree
+    // before field transitions. In order to avoid complexity of handling
+    // such a case we ensure that all maps with transitionable elements kinds
+    // do not have fields that can be generalized in-place (without creation
+    // of a new map).
+    if (FLAG_track_constant_fields && FLAG_modify_map_inplace) {
+      new_constness_ = kMutable;
+    }
+    DCHECK(representation.IsHeapObject());
+    new_field_type_ = FieldType::Any(isolate_);
+  }
+
   if (TryRecofigureToDataFieldInplace() == kEnd) return result_map_;
   if (FindRootMap() == kEnd) return result_map_;
   if (FindTargetMap() == kEnd) return result_map_;

src/objects-debug.cc

@@ -366,11 +366,14 @@ void JSObject::JSObjectVerify() {
     }
     DescriptorArray* descriptors = map()->instance_descriptors();
     Isolate* isolate = GetIsolate();
+    bool is_transitionable_fast_elements_kind =
+        IsTransitionableFastElementsKind(map()->elements_kind());
+
     for (int i = 0; i < map()->NumberOfOwnDescriptors(); i++) {
       PropertyDetails details = descriptors->GetDetails(i);
       if (details.location() == kField) {
         DCHECK_EQ(kData, details.kind());
-        Representation r = descriptors->GetDetails(i).representation();
+        Representation r = details.representation();
         FieldIndex index = FieldIndex::ForDescriptor(map(), i);
         if (IsUnboxedDoubleField(index)) {
           DCHECK(r.IsDouble());
@@ -393,6 +396,9 @@ void JSObject::JSObjectVerify() {
           CHECK(!field_type->NowStable() || field_type->NowContains(value) ||
                 (!FLAG_use_allocation_folding && value->IsUndefined(isolate)));
         }
+        CHECK_IMPLIES(is_transitionable_fast_elements_kind,
+                      !Map::IsInplaceGeneralizableField(details.constness(), r,
+                                                        field_type));
       }
     }
   }

test/mjsunit/regress/regress-crbug-747979.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(a) {
+  %HeapObjectVerify(a);
+  a[1] = 0;
+  %HeapObjectVerify(a);
+}
+
+function foo() {}
+
+var arr1 = [0];
+var arr2 = [0];
+var arr3 = [0];
+
+arr1.f = foo;
+arr1[0] = 4.2;
+
+arr2.f = foo;
+
+arr3.f = foo;
+arr3[0] = 4.2;
+arr3.f = f;
+
+f(arr1);
+f(arr2);
+f(arr3);
+%OptimizeFunctionOnNextCall(f);
+f(arr3);