[heap] Explicitly clear slot in MigrateFastToFast
Since invalidation is disabled at the moment, slots still need to be cleared explicitly. This was not the case in MigrateFastToFast in case a slot transitioned from tagged to untagged. Bug: chromium:1006630 Change-Id: I8d32ab9196603dabad9a382ec49b39144624c30d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815248 Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#63929}
This commit is contained in:
parent
39ecc997eb
commit
95b8b10bf3
@ -2795,6 +2795,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
|
|||||||
index, HeapNumber::cast(value).value_as_bits());
|
index, HeapNumber::cast(value).value_as_bits());
|
||||||
if (i < old_number_of_fields && !old_map->IsUnboxedDoubleField(index)) {
|
if (i < old_number_of_fields && !old_map->IsUnboxedDoubleField(index)) {
|
||||||
// Transition from tagged to untagged slot.
|
// Transition from tagged to untagged slot.
|
||||||
|
heap->ClearRecordedSlot(*object, object->RawField(index.offset()));
|
||||||
MemoryChunk* chunk = MemoryChunk::FromHeapObject(*object);
|
MemoryChunk* chunk = MemoryChunk::FromHeapObject(*object);
|
||||||
chunk->InvalidateRecordedSlots(*object);
|
chunk->InvalidateRecordedSlots(*object);
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user