[runtime] MigrateFastToFast: fix check for unboxed inobject doubles

After the recent fast-property deletion changes, there can be a non-empty out-of-object backing store (that previously held properties) even though the next double property will be stored in-object. BUG=chromium:718779 Review-Url: https://codereview.chromium.org/2861093004 Cr-Commit-Position: refs/heads/master@{#45146}
2017-05-05 15:23:04 -07:00 · 2017-05-05 15:23:04 -07:00 · ceba405f28
commit ceba405f28
parent c3f0e2a5b0
2 changed files with 23 additions and 3 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -3473,9 +3473,8 @@ void MigrateFastToFast(Handle<JSObject> object, Handle<Map> new_map) {
    // which there is still space, and which does not require a mutable double
    // box (an out-of-object double).
    if (details.location() == kDescriptor ||
-        (have_space &&
-         ((FLAG_unbox_double_fields && object->properties()->length() == 0) ||
-          !details.representation().IsDouble()))) {
+        (have_space && ((FLAG_unbox_double_fields && target_index < 0) ||
+                        !details.representation().IsDouble()))) {
      object->synchronized_set_map(*new_map);
      return;
    }
--- a/test/mjsunit/regress/regress-crbug-718779.js
+++ b/test/mjsunit/regress/regress-crbug-718779.js
@ -0,0 +1,21 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_1()
+{
+    __v_1.p2 = 2147483648;
+    __v_1.p3 = 3;
+    __v_1.p4 = 4;
+    __v_1.p5 = 2147483648;
+    __v_1.p6 = 6;
+}
+function __f_2()
+{
+    delete __v_1.p6;
+    delete __v_1.p5;
+}
+var __v_1 = { };
+__f_1(__v_1);
+__f_2(__v_1);
+__f_1(__v_1);