From a473e9a8874d6ff170098bb1615df19d95725641 Mon Sep 17 00:00:00 2001 From: "verwaest@chromium.org" Date: Thu, 21 Mar 2013 12:19:23 +0000 Subject: [PATCH] Always mark the entire valid prefix of the descriptor array. Previously we would only mark the slot that was added specifically for this map, if there was a backpointer and the descriptor array was shared via the backpointer. However, ConvertTransitionToMapTransition may break this link after we marked the transitioned map, before we marked the transitioning map. So the descriptor slots of the parent map won't get recorded, and we potentially point to an old address of an already relocated function. BUG=chromium:196331 Review URL: https://chromiumcodereview.appspot.com/12836005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14027 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects-visiting-inl.h | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/objects-visiting-inl.h b/src/objects-visiting-inl.h index beb07b5644..2b7fcf3329 100644 --- a/src/objects-visiting-inl.h +++ b/src/objects-visiting-inl.h @@ -397,7 +397,7 @@ void StaticMarkingVisitor::MarkMapContents( } // Since descriptor arrays are potentially shared, ensure that only the - // descriptors that appeared for this map are marked. The first time a + // descriptors that belong to this map are marked. The first time a // non-empty descriptor array is marked, its header is also visited. The slot // holding the descriptor array will be implicitly recorded when the pointer // fields of this map are visited. @@ -410,13 +410,6 @@ void StaticMarkingVisitor::MarkMapContents( } int start = 0; int end = map->NumberOfOwnDescriptors(); - Object* back_pointer = map->GetBackPointer(); - if (!back_pointer->IsUndefined()) { - Map* parent_map = Map::cast(back_pointer); - if (descriptors == parent_map->instance_descriptors()) { - start = parent_map->NumberOfOwnDescriptors(); - } - } if (start < end) { StaticVisitor::VisitPointers(heap, descriptors->GetDescriptorStartSlot(start),