From 1a8f611e425ef18d430bc84cc7b8dec3d383de79 Mon Sep 17 00:00:00 2001
From: "mvstanton@chromium.org"
 <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 11 Apr 2014 14:25:00 +0000
Subject: [PATCH] Gcstress bug fix: Transition arrays may get smaller during
 gc.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/234873004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects-inl.h  |  3 +--
 src/transitions.cc | 21 ++++++++++++++-------
 src/transitions.h  |  4 +++-
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/src/objects-inl.h b/src/objects-inl.h
index 96c397f51b..ed66dc6423 100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4987,8 +4987,7 @@ static void EnsureHasTransitionArray(Handle<Map> map) {
     transitions = TransitionArray::Allocate(map->GetIsolate(), 0);
     transitions->set_back_pointer_storage(map->GetBackPointer());
   } else if (!map->transitions()->IsFullTransitionArray()) {
-    transitions = TransitionArray::ExtendToFullTransitionArray(
-        handle(map->transitions()));
+    transitions = TransitionArray::ExtendToFullTransitionArray(map);
   } else {
     return;
   }
diff --git a/src/transitions.cc b/src/transitions.cc
index dc0a307cf0..33b2475a61 100644
--- a/src/transitions.cc
+++ b/src/transitions.cc
@@ -86,17 +86,24 @@ Handle<TransitionArray> TransitionArray::NewWith(Handle<Map> map,
 
 
 Handle<TransitionArray> TransitionArray::ExtendToFullTransitionArray(
-    Handle<TransitionArray> array) {
-  ASSERT(!array->IsFullTransitionArray());
-  int nof = array->number_of_transitions();
-  Handle<TransitionArray> result = Allocate(array->GetIsolate(), nof);
+    Handle<Map> containing_map) {
+  ASSERT(!containing_map->transitions()->IsFullTransitionArray());
+  int nof = containing_map->transitions()->number_of_transitions();
 
-  if (nof == 1) {
+  // A transition array may shrink during GC.
+  Handle<TransitionArray> result = Allocate(containing_map->GetIsolate(), nof);
+  DisallowHeapAllocation no_gc;
+  int new_nof = containing_map->transitions()->number_of_transitions();
+  if (new_nof != nof) {
+    ASSERT(new_nof == 0);
+    result->Shrink(ToKeyIndex(0));
+  } else if (nof == 1) {
     result->NoIncrementalWriteBarrierCopyFrom(
-        *array, kSimpleTransitionIndex, 0);
+        containing_map->transitions(), kSimpleTransitionIndex, 0);
   }
 
-  result->set_back_pointer_storage(array->back_pointer_storage());
+  result->set_back_pointer_storage(
+      containing_map->transitions()->back_pointer_storage());
   return result;
 }
 
diff --git a/src/transitions.h b/src/transitions.h
index 0c1acf8633..e0ec8a01e7 100644
--- a/src/transitions.h
+++ b/src/transitions.h
@@ -95,8 +95,10 @@ class TransitionArray: public FixedArray {
 
   inline int number_of_entries() { return number_of_transitions(); }
 
+  // Creates a FullTransitionArray from a SimpleTransitionArray in
+  // containing_map.
   static Handle<TransitionArray> ExtendToFullTransitionArray(
-      Handle<TransitionArray> array);
+      Handle<Map> containing_map);
 
   // Create a transition array, copying from the owning map if it already has
   // one, otherwise creating a new one according to flag.