Fix heap verifier for partially constructed arrays when allocation folding is off.
BUG= R=mvstanton@chromium.org Review URL: https://codereview.chromium.org/23934008 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
parent
3824d596a7
commit
a844362937
@ -330,10 +330,11 @@ void JSObject::JSObjectVerify() {
|
||||
}
|
||||
}
|
||||
|
||||
// TODO(hpayer): deal gracefully with partially constructed JSObjects, when
|
||||
// allocation folding is turned off.
|
||||
if (reinterpret_cast<Map*>(elements()) !=
|
||||
GetHeap()->one_pointer_filler_map()) {
|
||||
// If a GC was caused while constructing this object, the elements
|
||||
// pointer may point to a one pointer filler map.
|
||||
if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
|
||||
(reinterpret_cast<Map*>(elements()) !=
|
||||
GetHeap()->one_pointer_filler_map())) {
|
||||
CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
|
||||
(elements() == GetHeap()->empty_fixed_array())),
|
||||
(elements()->map() == GetHeap()->fixed_array_map() ||
|
||||
@ -683,10 +684,11 @@ void Code::VerifyEmbeddedMapsDependency() {
|
||||
void JSArray::JSArrayVerify() {
|
||||
JSObjectVerify();
|
||||
CHECK(length()->IsNumber() || length()->IsUndefined());
|
||||
// TODO(hpayer): deal gracefully with partially constructed JSObjects, when
|
||||
// allocation folding is turned off.
|
||||
if (reinterpret_cast<Map*>(elements()) !=
|
||||
GetHeap()->one_pointer_filler_map()) {
|
||||
// If a GC was caused while constructing this array, the elements
|
||||
// pointer may point to a one pointer filler map.
|
||||
if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
|
||||
(reinterpret_cast<Map*>(elements()) !=
|
||||
GetHeap()->one_pointer_filler_map())) {
|
||||
CHECK(elements()->IsUndefined() ||
|
||||
elements()->IsFixedArray() ||
|
||||
elements()->IsFixedDoubleArray());
|
||||
|
Loading…
Reference in New Issue
Block a user