From ceba405f28a6b20814107930365788f2749db574 Mon Sep 17 00:00:00 2001 From: jkummerow Date: Fri, 5 May 2017 15:23:04 -0700 Subject: [PATCH] [runtime] MigrateFastToFast: fix check for unboxed inobject doubles After the recent fast-property deletion changes, there can be a non-empty out-of-object backing store (that previously held properties) even though the next double property will be stored in-object. BUG=chromium:718779 Review-Url: https://codereview.chromium.org/2861093004 Cr-Commit-Position: refs/heads/master@{#45146} --- src/objects.cc | 5 ++--- test/mjsunit/regress/regress-crbug-718779.js | 21 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-718779.js diff --git a/src/objects.cc b/src/objects.cc index f40dc1e007..b99fe18d41 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -3473,9 +3473,8 @@ void MigrateFastToFast(Handle object, Handle new_map) { // which there is still space, and which does not require a mutable double // box (an out-of-object double). if (details.location() == kDescriptor || - (have_space && - ((FLAG_unbox_double_fields && object->properties()->length() == 0) || - !details.representation().IsDouble()))) { + (have_space && ((FLAG_unbox_double_fields && target_index < 0) || + !details.representation().IsDouble()))) { object->synchronized_set_map(*new_map); return; } diff --git a/test/mjsunit/regress/regress-crbug-718779.js b/test/mjsunit/regress/regress-crbug-718779.js new file mode 100644 index 0000000000..e62c10729f --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-718779.js @@ -0,0 +1,21 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +function __f_1() +{ + __v_1.p2 = 2147483648; + __v_1.p3 = 3; + __v_1.p4 = 4; + __v_1.p5 = 2147483648; + __v_1.p6 = 6; +} +function __f_2() +{ + delete __v_1.p6; + delete __v_1.p5; +} +var __v_1 = { }; +__f_1(__v_1); +__f_2(__v_1); +__f_1(__v_1);