Revision: 12688
Author: [email protected]
Date: Wed Oct 10 05:31:50 2012
Log: Fix transition conversion from CONSTANT_FUNCTION to FIELD.
Review URL: https://chromiumcodereview.appspot.com/11094044
http://code.google.com/p/v8/source/detail?r=12688
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-convert-transition.js
Modified:
/branches/bleeding_edge/src/objects-printer.cc
/branches/bleeding_edge/src/objects.cc
=======================================
--- /dev/null
+++
/branches/bleeding_edge/test/mjsunit/regress/regress-convert-transition.js
Wed Oct 10 05:31:50 2012
@@ -0,0 +1,40 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+var input = '{ "a1":1, "a2":1, "a3":1, "a4":1, "a5":1, "a6":1, "a7":1,\
+ "a8":1, "a9":1, "a10":1, "a11":1, "a12":1, "a13":1}';
+var a = JSON.parse(input);
+a.a = function() { return 10; };
+
+// Force conversion of field to slow mode.
+var b = JSON.parse(input);
+b.a = 10;
+
+// Add another property to the object that would transition to a.
+var c = JSON.parse(input);
+c.x = 10;
+assertEquals(undefined, c.a);
=======================================
--- /branches/bleeding_edge/src/objects-printer.cc Wed Oct 10 05:29:44 2012
+++ /branches/bleeding_edge/src/objects-printer.cc Wed Oct 10 05:31:50 2012
@@ -254,7 +254,7 @@
void JSObject::PrintProperties(FILE* out) {
if (HasFastProperties()) {
DescriptorArray* descs = map()->instance_descriptors();
- for (int i = 0; i < descs->number_of_descriptors(); i++) {
+ for (int i = 0; i < map()->NumberOfOwnDescriptors(); i++) {
PrintF(out, " ");
descs->GetKey(i)->StringPrint(out);
PrintF(out, ": ");
=======================================
--- /branches/bleeding_edge/src/objects.cc Wed Oct 10 05:29:44 2012
+++ /branches/bleeding_edge/src/objects.cc Wed Oct 10 05:31:50 2012
@@ -1771,9 +1771,7 @@
// If the old_target did not yet store its own descriptors, the new
// descriptors pointer is created for the old_target by temporarily
clearing
- // the back pointer and setting its descriptor array. The ownership of
the
- // descriptor array is returned to the smaller maps by installing a
reduced
- // copy of the descriptor array in the old_map.
+ // the back pointer and setting its descriptor array.
// This phase is executed before creating the new map since it requires
// allocation that may fail.
@@ -1787,8 +1785,6 @@
// descriptors. Setting the backpointer always succeeds.
old_target->SetBackPointer(old_map);
if (maybe_failure->IsFailure()) return maybe_failure;
-
- old_map->set_owns_descriptors(true);
}
MaybeObject* maybe_result =
@@ -1815,18 +1811,6 @@
new_map->instance_descriptors());
new_map->ClearTransitions(GetHeap());
old_map->set_owns_descriptors(false);
- Map* map;
- JSGlobalPropertyCell* pointer =
- old_map->transitions()->descriptors_pointer();
- for (Object* current = old_map;
- !current->IsUndefined();
- current = map->GetBackPointer()) {
- map = Map::cast(current);
- if (!map->HasTransitionArray()) break;
- TransitionArray* transitions = map->transitions();
- if (transitions->descriptors_pointer() != pointer) break;
- map->SetEnumLength(Map::kInvalidEnumCache);
- }
} else if (old_target->instance_descriptors() ==
old_map->instance_descriptors()) {
// Since the conversion above generated a new fast map with an
additional
@@ -4995,8 +4979,11 @@
// Sanity check. This path is only to be taken if the map owns its
descriptor
// array, implying that its NumberOfOwnDescriptors equals the number of
// descriptors in the descriptor array.
- ASSERT(NumberOfOwnDescriptors() ==
- instance_descriptors()->number_of_descriptors());
+ if (NumberOfOwnDescriptors() !=
+ instance_descriptors()->number_of_descriptors()) {
+ Isolate::Current()->PushStackTraceAndDie(
+ 0xDEAD0002, GetBackPointer(), this, 0xDEAD0003);
+ }
Map* result;
MaybeObject* maybe_result = CopyDropDescriptors();
if (!maybe_result->To(&result)) return maybe_result;
@@ -5086,7 +5073,7 @@
// If the copied map has no added fields, and the parent map owns
its
// descriptors, those descriptors have to be empty. In that case,
// transfer ownership of the descriptors to the new child.
- ASSERT(instance_descriptors()->IsEmpty());
+ CHECK(instance_descriptors()->IsEmpty());
set_owns_descriptors(false);
} else {
// If the parent did not own its own descriptors, it may share a
larger
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
