Fix assert by reordering the initialization of the arguments boilerplate.

If a GC happened during initialization (when allocating the elements array)
of the non_strict_arguments_boilerplate, heap verification would fail with the following assert:

ASSERT_EQ((map()->has_fast_elements() || map()->has_fast_smi_only_elements()),
            (elements()->map() == GetHeap()->fixed_array_map() ||
             elements()->map() == GetHeap()->fixed_cow_array_map()));

This was not harmful since the boilerplate was setup 
correctly immediatly afterwards.


Simplified the setup code by removing a call to GetElementsTransitionMap. It always return the same map as 
the input object in this case and is therefore unnecessary.


Added more assertions to verify well-formed non-strict
arguments backing store.

BUG=v8:1520
TEST=no more flaky tests with failing this assert.
 
Review URL: http://codereview.chromium.org/8336021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9678 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/bootstrapper.cc

@@ -1084,11 +1084,6 @@ void Genesis::InitializeGlobal(Handle<GlobalObject> inner_global,
   }
 
   {  // --- aliased_arguments_boilerplate_
-    Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
-    Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
-    new_map->set_pre_allocated_property_fields(2);
-    Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
-    new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
     // Set up a well-formed parameter map to make assertions happy.
     Handle<FixedArray> elements = factory->NewFixedArray(2);
     elements->set_map(heap->non_strict_arguments_elements_map());
@@ -1097,12 +1092,16 @@ void Genesis::InitializeGlobal(Handle<GlobalObject> inner_global,
     elements->set(0, *array);
     array = factory->NewFixedArray(0);
     elements->set(1, *array);
-    Handle<Map> non_strict_arguments_elements_map =
+
-        factory->GetElementsTransitionMap(result,
+    Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
-                                          NON_STRICT_ARGUMENTS_ELEMENTS);
+    Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
-    result->set_map(*non_strict_arguments_elements_map);
+    new_map->set_pre_allocated_property_fields(2);
-    ASSERT(result->HasNonStrictArgumentsElements());
+    Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
+    // Set elements kind after allocating the object because
+    // NewJSObjectFromMap assumes a fast elements map.
+    new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
     result->set_elements(*elements);
+    ASSERT(result->HasNonStrictArgumentsElements());
     global_context()->set_aliased_arguments_boilerplate(*result);
   }
 

src/objects-debug.cc

@@ -263,6 +263,12 @@ void ExternalDoubleArray::ExternalDoubleArrayVerify() {
 void JSObject::JSObjectVerify() {
   VerifyHeapPointer(properties());
   VerifyHeapPointer(elements());
+
+  if (GetElementsKind() == NON_STRICT_ARGUMENTS_ELEMENTS) {
+    ASSERT(this->elements()->IsFixedArray());
+    ASSERT(this->elements()->length() >= 2);
+  }
+
   if (HasFastProperties()) {
     CHECK_EQ(map()->unused_property_fields(),
              (map()->inobject_properties() + properties()->length() -

src/objects-inl.h

@@ -4096,6 +4096,8 @@ ElementsKind JSObject::GetElementsKind() {
             fixed_array->IsFixedArray() &&
             fixed_array->IsDictionary()) ||
            (kind > DICTIONARY_ELEMENTS));
+    ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
+           (elements()->IsFixedArray() && elements()->length() >= 2));
 #endif
   return kind;
 }