[runtime] Don't use ElementsTransitionAndStoreStub for transitions that involve instance rewriting.

BUG=chromium:617524, v8:5009 LOG=Y Review-Url: https://codereview.chromium.org/2044003003 Cr-Commit-Position: refs/heads/master@{#36780}
2016-06-07 02:46:55 -07:00 · 2016-06-07 02:46:55 -07:00 · 3e0be8d7fc
commit 3e0be8d7fc
parent ce291bedd0
3 changed files with 32 additions and 1 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -2762,6 +2762,16 @@ const char* Representation::Mnemonic() const {
  }
 }

+bool Map::InstancesNeedRewriting(Map* target) {
+  int target_number_of_fields = target->NumberOfFields();
+  int target_inobject = target->GetInObjectProperties();
+  int target_unused = target->unused_property_fields();
+  int old_number_of_fields;
+
+  return InstancesNeedRewriting(target, target_number_of_fields,
+                                target_inobject, target_unused,
+                                &old_number_of_fields);
+}

 bool Map::InstancesNeedRewriting(Map* target, int target_number_of_fields,
                                 int target_inobject, int target_unused,
@ -4799,12 +4809,14 @@ Map* Map::FindElementsKindTransitionedMap(MapHandleList* candidates) {
    root_map = root_map->LookupElementsTransitionMap(kind);
    DCHECK_NOT_NULL(root_map);
    // Starting from the next existing elements kind transition try to
-    // replay the property transitions.
+    // replay the property transitions that does not involve instance rewriting
+    // (ElementsTransitionAndStoreStub does not support that).
    for (root_map = root_map->ElementsTransitionMap();
         root_map != nullptr && root_map->has_fast_elements();
         root_map = root_map->ElementsTransitionMap()) {
      Map* current = root_map->TryReplayPropertyTransitions(this);
      if (current == nullptr) continue;
+      if (InstancesNeedRewriting(current)) continue;

      if (ContainsMap(candidates, current) &&
          (packed || !IsFastPackedElementsKind(current->elements_kind()))) {
--- a/src/objects.h
+++ b/src/objects.h
@ -5770,6 +5770,7 @@ class Map: public HeapObject {
  int NumberOfFields();

  // TODO(ishell): candidate with JSObject::MigrateToMap().
+  bool InstancesNeedRewriting(Map* target);
  bool InstancesNeedRewriting(Map* target, int target_number_of_fields,
                              int target_inobject, int target_unused,
                              int* old_number_of_fields);
--- a/test/mjsunit/regress/regress-crbug-617524.js
+++ b/test/mjsunit/regress/regress-crbug-617524.js
@ -0,0 +1,18 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc --always-opt
+
+function f(a,b,c) {
+  a.a = b;
+  a[1] = c;
+  return a;
+}
+
+f(new Array(5),.5,0);
+var o1 = f(new Array(5),0,.5);
+gc();
+var o2 = f(new Array(5),0,0);
+var o3 = f(new Array(5),0);
+assertEquals(0, o3.a);