[runtime] MigrateFastToFast: fix check for unboxed inobject doubles
After the recent fast-property deletion changes, there can be a non-empty out-of-object backing store (that previously held properties) even though the next double property will be stored in-object. BUG=chromium:718779 Review-Url: https://codereview.chromium.org/2861093004 Cr-Commit-Position: refs/heads/master@{#45146}
This commit is contained in:
parent
c3f0e2a5b0
commit
ceba405f28
@ -3473,8 +3473,7 @@ void MigrateFastToFast(Handle<JSObject> object, Handle<Map> new_map) {
|
||||
// which there is still space, and which does not require a mutable double
|
||||
// box (an out-of-object double).
|
||||
if (details.location() == kDescriptor ||
|
||||
(have_space &&
|
||||
((FLAG_unbox_double_fields && object->properties()->length() == 0) ||
|
||||
(have_space && ((FLAG_unbox_double_fields && target_index < 0) ||
|
||||
!details.representation().IsDouble()))) {
|
||||
object->synchronized_set_map(*new_map);
|
||||
return;
|
||||
|
21
test/mjsunit/regress/regress-crbug-718779.js
Normal file
21
test/mjsunit/regress/regress-crbug-718779.js
Normal file
@ -0,0 +1,21 @@
|
||||
// Copyright 2017 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
function __f_1()
|
||||
{
|
||||
__v_1.p2 = 2147483648;
|
||||
__v_1.p3 = 3;
|
||||
__v_1.p4 = 4;
|
||||
__v_1.p5 = 2147483648;
|
||||
__v_1.p6 = 6;
|
||||
}
|
||||
function __f_2()
|
||||
{
|
||||
delete __v_1.p6;
|
||||
delete __v_1.p5;
|
||||
}
|
||||
var __v_1 = { };
|
||||
__f_1(__v_1);
|
||||
__f_2(__v_1);
|
||||
__f_1(__v_1);
|
Loading…
Reference in New Issue
Block a user