Always mark the entire valid prefix of the descriptor array.

Previously we would only mark the slot that was added specifically for
this map, if there was a backpointer and the descriptor array was shared
via the backpointer. However, ConvertTransitionToMapTransition may break
this link after we marked the transitioned map, before we marked the
transitioning map. So the descriptor slots of the parent map won't get
recorded, and we potentially point to an old address of an already
relocated function.

BUG=chromium:196331

Review URL: https://chromiumcodereview.appspot.com/12836005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14027 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/objects-visiting-inl.h

@@ -397,7 +397,7 @@ void StaticMarkingVisitor<StaticVisitor>::MarkMapContents(
   }
 
   // Since descriptor arrays are potentially shared, ensure that only the
-  // descriptors that appeared for this map are marked. The first time a
+  // descriptors that belong to this map are marked. The first time a
   // non-empty descriptor array is marked, its header is also visited. The slot
   // holding the descriptor array will be implicitly recorded when the pointer
   // fields of this map are visited.
@@ -410,13 +410,6 @@ void StaticMarkingVisitor<StaticVisitor>::MarkMapContents(
   }
   int start = 0;
   int end = map->NumberOfOwnDescriptors();
-  Object* back_pointer = map->GetBackPointer();
-  if (!back_pointer->IsUndefined()) {
-    Map* parent_map = Map::cast(back_pointer);
-    if (descriptors == parent_map->instance_descriptors()) {
-      start = parent_map->NumberOfOwnDescriptors();
-    }
-  }
   if (start < end) {
     StaticVisitor::VisitPointers(heap,
         descriptors->GetDescriptorStartSlot(start),