[v8-dev] Version 4.3.61.22 (cherry-pick) (issue 1141263005 by ishell@chromium.org)

['Igor Sheludko' via codereview.chromium.org]

Reviewers: Jakob,

Description:
Version 4.3.61.22 (cherry-pick)
Merged 3c1487db6088671425effe1ff523fae94a34e19f

Map::ReconfigureProperty() should mark map as unstable when there is an  
element
kind transition somewhere in the middle of the transition tree.

BUG=chromium:485548
LOG=N
R=jkumme...@chromium.org

Please review this at https://codereview.chromium.org/1141263005/

Base URL: https://chromium.googlesource.com/v8/v8.git@4.3

Affected files (+76, -2 lines):
  M include/v8-version.h
  M src/objects.cc
  A test/mjsunit/regress/regress-crbug-485548-1.js
  A test/mjsunit/regress/regress-crbug-485548-2.js


Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index  
9cdb1259216c19a694bcc9318900626f32e77097..dab02d8a7f0e6cf7f3adf159627b2036e63ea7b6  
100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 3
 #define V8_BUILD_NUMBER 61
-#define V8_PATCH_LEVEL 21
+#define V8_PATCH_LEVEL 22

 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index  
77a82e6d94a8ca010c2fa65b19da95e8d97e987b..ce09632cf8daf9e8064954cec0bb16fbebe1e56d  
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1387,7 +1387,8 @@ void HeapObject::HeapObjectShortPrint(std::ostream&  
os) {  // NOLINT
   }
   switch (map()->instance_type()) {
     case MAP_TYPE:
-      os << "<Map(elements=" << Map::cast(this)->elements_kind() << ")>";
+      os << "<Map(" <<  
ElementsKindToString(Map::cast(this)->elements_kind())
+         << ")>";
       break;
     case FIXED_ARRAY_TYPE:
       os << "<FixedArray[" << FixedArray::cast(this)->length() << "]>";
@@ -2891,6 +2892,13 @@ Handle<Map> Map::ReconfigureProperty(Handle<Map>  
old_map, int modify_index,
       split_kind, old_descriptors->GetKey(split_nof), split_attributes,
       *new_descriptors, *new_layout_descriptor);

+  if (from_kind != to_kind) {
+    // There was an elements kind change in the middle of transition tree  
and
+    // we reconstructed the tree so that all elements kind transitions are
+    // done at the beginning, therefore the |old_map| is no longer stable.
+    old_map->NotifyLeafMapLayoutChange();
+  }
+
   // If |transition_target_deprecated| is true then the transition array
   // already contains entry for given descriptor. This means that the  
transition
   // could be inserted regardless of whether transitions array is full or  
not.
Index: test/mjsunit/regress/regress-crbug-485548-1.js
diff --git a/test/mjsunit/regress/regress-crbug-485548-1.js  
b/test/mjsunit/regress/regress-crbug-485548-1.js
new file mode 100644
index  
0000000000000000000000000000000000000000..bbd0f7dd45e263330320990ef305a134c1397e0f
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-485548-1.js
@@ -0,0 +1,33 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+var inner = new Array();
+inner.a = {x:1};
+inner[0] = 1.5;
+inner.b = {x:2};
+assertTrue(%HasFastDoubleElements(inner));
+
+function foo(o) {
+  return o.field.a.x;
+}
+
+var outer = {};
+outer.field = inner;
+foo(outer);
+foo(outer);
+foo(outer);
+%OptimizeFunctionOnNextCall(foo);
+foo(outer);
+
+// Generalize representation of field "a" of inner object.
+var v = { get x() { return 0x7fffffff; } };
+inner.a = v;
+
+gc();
+
+var boom = foo(outer);
+print(boom);
+assertEquals(0x7fffffff, boom);
Index: test/mjsunit/regress/regress-crbug-485548-2.js
diff --git a/test/mjsunit/regress/regress-crbug-485548-2.js  
b/test/mjsunit/regress/regress-crbug-485548-2.js
new file mode 100644
index  
0000000000000000000000000000000000000000..7e449a6fd450359d3dd959161f0c957604d4fbd7
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-485548-2.js
@@ -0,0 +1,33 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+var inner = new Array();
+inner.a = {x:1};
+inner[0] = 1.5;
+inner.b = {x:2};
+assertTrue(%HasFastDoubleElements(inner));
+
+function foo(o) {
+  return o.field.b.x;
+}
+
+var outer = {};
+outer.field = inner;
+foo(outer);
+foo(outer);
+foo(outer);
+%OptimizeFunctionOnNextCall(foo);
+foo(outer);
+
+// Generalize representation of field "b" of inner object.
+var v = { get x() { return 0x7fffffff; } };
+inner.b = v;
+
+gc();
+
+var boom = foo(outer);
+print(boom);
+assertEquals(0x7fffffff, boom);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.