AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[heap] Explicitly clear slot in MigrateFastToFast

Browse Source 
Since invalidation is disabled at the moment, slots still need to be
cleared explicitly. This was not the case in MigrateFastToFast in
case a slot transitioned from tagged to untagged.

Bug: chromium:1006630
Change-Id: I8d32ab9196603dabad9a382ec49b39144624c30d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815248
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63929}
This commit is contained in:
Dominik Inführ 2019-09-23 12:25:20 +02:00 committed by Commit Bot
parent 39ecc997eb
commit 95b8b10bf3
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/objects/js-objects.cc
View File

@ -2795,6 +2795,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
index, HeapNumber::cast(value).value_as_bits());
if (i < old_number_of_fields && !old_map->IsUnboxedDoubleField(index)) {
// Transition from tagged to untagged slot.
heap->ClearRecordedSlot(*object, object->RawField(index.offset()));
MemoryChunk* chunk = MemoryChunk::FromHeapObject(*object);
chunk->InvalidateRecordedSlots(*object);
} else {