From 95b8b10bf3978663f8eab703bc148a93c0794187 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20Inf=C3=BChr?= <dinfuehr@chromium.org>
Date: Mon, 23 Sep 2019 12:25:20 +0200
Subject: [PATCH] [heap] Explicitly clear slot in MigrateFastToFast
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since invalidation is disabled at the moment, slots still need to be
cleared explicitly. This was not the case in MigrateFastToFast in
case a slot transitioned from tagged to untagged.

Bug: chromium:1006630
Change-Id: I8d32ab9196603dabad9a382ec49b39144624c30d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815248
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63929}
---
 src/objects/js-objects.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
index 12b4a22651..b9942db50d 100644
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -2795,6 +2795,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
           index, HeapNumber::cast(value).value_as_bits());
       if (i < old_number_of_fields && !old_map->IsUnboxedDoubleField(index)) {
         // Transition from tagged to untagged slot.
+        heap->ClearRecordedSlot(*object, object->RawField(index.offset()));
         MemoryChunk* chunk = MemoryChunk::FromHeapObject(*object);
         chunk->InvalidateRecordedSlots(*object);
       } else {