Fix transition conversion from CONSTANT_FUNCTION to FIELD.

Review URL: https://chromiumcodereview.appspot.com/11094044

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12688 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/objects-printer.cc

@@ -254,7 +254,7 @@ void ExternalDoubleArray::ExternalDoubleArrayPrint(FILE* out) {
 void JSObject::PrintProperties(FILE* out) {
   if (HasFastProperties()) {
     DescriptorArray* descs = map()->instance_descriptors();
-    for (int i = 0; i < descs->number_of_descriptors(); i++) {
+    for (int i = 0; i < map()->NumberOfOwnDescriptors(); i++) {
       PrintF(out, "   ");
       descs->GetKey(i)->StringPrint(out);
       PrintF(out, ": ");

src/objects.cc

@@ -1771,9 +1771,7 @@ MaybeObject* JSObject::ConvertTransitionToMapTransition(
 
   // If the old_target did not yet store its own descriptors, the new
   // descriptors pointer is created for the old_target by temporarily clearing
-  // the back pointer and setting its descriptor array. The ownership of the
-  // descriptor array is returned to the smaller maps by installing a reduced
-  // copy of the descriptor array in the old_map.
+  // the back pointer and setting its descriptor array.
 
   // This phase is executed before creating the new map since it requires
   // allocation that may fail.
@@ -1787,8 +1785,6 @@ MaybeObject* JSObject::ConvertTransitionToMapTransition(
     // descriptors. Setting the backpointer always succeeds.
     old_target->SetBackPointer(old_map);
     if (maybe_failure->IsFailure()) return maybe_failure;
-
-    old_map->set_owns_descriptors(true);
   }
 
   MaybeObject* maybe_result =
@@ -1815,18 +1811,6 @@ MaybeObject* JSObject::ConvertTransitionToMapTransition(
         new_map->instance_descriptors());
     new_map->ClearTransitions(GetHeap());
     old_map->set_owns_descriptors(false);
-    Map* map;
-    JSGlobalPropertyCell* pointer =
-        old_map->transitions()->descriptors_pointer();
-    for (Object* current = old_map;
-         !current->IsUndefined();
-         current = map->GetBackPointer()) {
-      map = Map::cast(current);
-      if (!map->HasTransitionArray()) break;
-      TransitionArray* transitions = map->transitions();
-      if (transitions->descriptors_pointer() != pointer) break;
-      map->SetEnumLength(Map::kInvalidEnumCache);
-    }
   } else if (old_target->instance_descriptors() ==
              old_map->instance_descriptors()) {
     // Since the conversion above generated a new fast map with an additional
@@ -4995,8 +4979,11 @@ MaybeObject* Map::ShareDescriptor(Descriptor* descriptor) {
   // Sanity check. This path is only to be taken if the map owns its descriptor
   // array, implying that its NumberOfOwnDescriptors equals the number of
   // descriptors in the descriptor array.
-  ASSERT(NumberOfOwnDescriptors() ==
-         instance_descriptors()->number_of_descriptors());
+  if (NumberOfOwnDescriptors() !=
+      instance_descriptors()->number_of_descriptors()) {
+    Isolate::Current()->PushStackTraceAndDie(
+          0xDEAD0002, GetBackPointer(), this, 0xDEAD0003);
+  }
   Map* result;
   MaybeObject* maybe_result = CopyDropDescriptors();
   if (!maybe_result->To(&result)) return maybe_result;
@@ -5086,7 +5073,7 @@ MaybeObject* Map::CopyReplaceDescriptors(DescriptorArray* descriptors,
         // If the copied map has no added fields, and the parent map owns its
         // descriptors, those descriptors have to be empty. In that case,
         // transfer ownership of the descriptors to the new child.
-        ASSERT(instance_descriptors()->IsEmpty());
+        CHECK(instance_descriptors()->IsEmpty());
         set_owns_descriptors(false);
       } else {
         // If the parent did not own its own descriptors, it may share a larger

test/mjsunit/regress/regress-convert-transition.js

@@ -0,0 +1,40 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+var input = '{ "a1":1, "a2":1, "a3":1, "a4":1, "a5":1, "a6":1, "a7":1,\
+               "a8":1, "a9":1, "a10":1, "a11":1, "a12":1, "a13":1}';
+var a = JSON.parse(input);
+a.a = function() { return 10; };
+
+// Force conversion of field to slow mode.
+var b = JSON.parse(input);
+b.a = 10;
+
+// Add another property to the object that would transition to a.
+var c = JSON.parse(input);
+c.x = 10;
+assertEquals(undefined, c.a);