Reviewers: Jakob,
Message:
PTAL.
Description:
Fix transition conversion from CONSTANT_FUNCTION to FIELD.
Please review this at https://chromiumcodereview.appspot.com/11094044/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/objects-printer.cc
M src/objects.cc
A + test/mjsunit/regress/regress-convert-transition.js
Index: src/objects-printer.cc
diff --git a/src/objects-printer.cc b/src/objects-printer.cc
index
1ba0bb0d0988780dd6437e797ca25c1ac7f971b5..fc0d7be237357a9cfbdbc664dee478034e1e315a
100644
--- a/src/objects-printer.cc
+++ b/src/objects-printer.cc
@@ -254,7 +254,7 @@ void
ExternalDoubleArray::ExternalDoubleArrayPrint(FILE* out) {
void JSObject::PrintProperties(FILE* out) {
if (HasFastProperties()) {
DescriptorArray* descs = map()->instance_descriptors();
- for (int i = 0; i < descs->number_of_descriptors(); i++) {
+ for (int i = 0; i < map()->NumberOfOwnDescriptors(); i++) {
PrintF(out, " ");
descs->GetKey(i)->StringPrint(out);
PrintF(out, ": ");
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
c37a4a8b2086be48e881634f36f36acf034cc56c..65276249a52b040b1dea376bba633163946d17d8
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1771,9 +1771,7 @@ MaybeObject*
JSObject::ConvertTransitionToMapTransition(
// If the old_target did not yet store its own descriptors, the new
// descriptors pointer is created for the old_target by temporarily
clearing
- // the back pointer and setting its descriptor array. The ownership of
the
- // descriptor array is returned to the smaller maps by installing a
reduced
- // copy of the descriptor array in the old_map.
+ // the back pointer and setting its descriptor array.
// This phase is executed before creating the new map since it requires
// allocation that may fail.
@@ -1787,8 +1785,6 @@ MaybeObject*
JSObject::ConvertTransitionToMapTransition(
// descriptors. Setting the backpointer always succeeds.
old_target->SetBackPointer(old_map);
if (maybe_failure->IsFailure()) return maybe_failure;
-
- old_map->set_owns_descriptors(true);
}
MaybeObject* maybe_result =
@@ -1815,18 +1811,6 @@ MaybeObject*
JSObject::ConvertTransitionToMapTransition(
new_map->instance_descriptors());
new_map->ClearTransitions(GetHeap());
old_map->set_owns_descriptors(false);
- Map* map;
- JSGlobalPropertyCell* pointer =
- old_map->transitions()->descriptors_pointer();
- for (Object* current = old_map;
- !current->IsUndefined();
- current = map->GetBackPointer()) {
- map = Map::cast(current);
- if (!map->HasTransitionArray()) break;
- TransitionArray* transitions = map->transitions();
- if (transitions->descriptors_pointer() != pointer) break;
- map->SetEnumLength(Map::kInvalidEnumCache);
- }
} else if (old_target->instance_descriptors() ==
old_map->instance_descriptors()) {
// Since the conversion above generated a new fast map with an
additional
@@ -4995,8 +4979,11 @@ MaybeObject* Map::ShareDescriptor(Descriptor*
descriptor) {
// Sanity check. This path is only to be taken if the map owns its
descriptor
// array, implying that its NumberOfOwnDescriptors equals the number of
// descriptors in the descriptor array.
- ASSERT(NumberOfOwnDescriptors() ==
- instance_descriptors()->number_of_descriptors());
+ if (NumberOfOwnDescriptors() !=
+ instance_descriptors()->number_of_descriptors()) {
+ Isolate::Current()->PushStackTraceAndDie(
+ 0xDEAD0002, GetBackPointer(), this, 0xDEAD0003);
+ }
Map* result;
MaybeObject* maybe_result = CopyDropDescriptors();
if (!maybe_result->To(&result)) return maybe_result;
@@ -5086,7 +5073,7 @@ MaybeObject*
Map::CopyReplaceDescriptors(DescriptorArray* descriptors,
// If the copied map has no added fields, and the parent map owns
its
// descriptors, those descriptors have to be empty. In that case,
// transfer ownership of the descriptors to the new child.
- ASSERT(instance_descriptors()->IsEmpty());
+ CHECK(instance_descriptors()->IsEmpty());
set_owns_descriptors(false);
} else {
// If the parent did not own its own descriptors, it may share a
larger
Index: test/mjsunit/regress/regress-convert-transition.js
diff --git a/src/platform-posix.h
b/test/mjsunit/regress/regress-convert-transition.js
similarity index 79%
copy from src/platform-posix.h
copy to test/mjsunit/regress/regress-convert-transition.js
index
7a982ed2ef3080dad77860d6f46b356a9067bf3b..057dc8045c0327afe3217b8eea898b4228c1ae0f
100644
--- a/src/platform-posix.h
+++ b/test/mjsunit/regress/regress-convert-transition.js
@@ -25,15 +25,16 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#ifndef V8_PLATFORM_POSIX_H_
-#define V8_PLATFORM_POSIX_H_
+var input = '{ "a1":1, "a2":1, "a3":1, "a4":1, "a5":1, "a6":1, "a7":1,\
+ "a8":1, "a9":1, "a10":1, "a11":1, "a12":1, "a13":1}';
+var a = JSON.parse(input);
+a.a = function() { return 10; };
-namespace v8 {
-namespace internal {
+// Force conversion of field to slow mode.
+var b = JSON.parse(input);
+b.a = 10;
-// Used by platform implementation files during OS::PostSetUp().
-void POSIXPostSetUp();
-
-} } // namespace v8::internal
-
-#endif // V8_PLATFORM_POSIX_H_
+// Add another property to the object that would transition to a.
+var c = JSON.parse(input);
+c.x = 10;
+assertEquals(undefined, c.a);
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
