Reviewers: Jakob,
Message:
PTAL.
Description:
Don't clear EnumLength but rather copy the enum cache. Added regression
test for
crashes from chromecrash.
Please review this at https://chromiumcodereview.appspot.com/11103036/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/objects.cc
A + test/mjsunit/regress/regress-convert-enum.js
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
1974a5de607c01df32f3fe85e3a024092389c313..aa59047927fa2ec6e8ef15694acfb5425d068086
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1806,6 +1806,9 @@ MaybeObject*
JSObject::ConvertTransitionToMapTransition(
Map* map;
DescriptorArray* new_descriptors = new_map->instance_descriptors();
DescriptorArray* old_descriptors = old_map->instance_descriptors();
+ if (old_descriptors->HasEnumCache()) {
+ new_descriptors->CopyEnumCacheFrom(old_descriptors);
+ }
for (Object* current = old_map;
!current->IsUndefined();
current = map->GetBackPointer()) {
@@ -1813,8 +1816,6 @@ MaybeObject*
JSObject::ConvertTransitionToMapTransition(
if (!map->HasTransitionArray()) break;
TransitionArray* transitions = map->transitions();
if (transitions->descriptors() != old_descriptors) break;
- // Invalidate the enum caches only if the map did not own its
descriptors.
- if (!owned_descriptors) map->SetEnumLength(Map::kInvalidEnumCache);
transitions->set_descriptors(new_descriptors);
}
old_map->set_owns_descriptors(false);
Index: test/mjsunit/regress/regress-convert-enum.js
diff --git a/test/mjsunit/regress/regress-cnlt-enum-indices.js
b/test/mjsunit/regress/regress-convert-enum.js
similarity index 83%
copy from test/mjsunit/regress/regress-cnlt-enum-indices.js
copy to test/mjsunit/regress/regress-convert-enum.js
index
03582bbbe424b10487fab13a6473e9b62781845e..8c1427a9735528fe7dd6651d61f8fecf88a6b330
100644
--- a/test/mjsunit/regress/regress-cnlt-enum-indices.js
+++ b/test/mjsunit/regress/regress-convert-enum.js
@@ -25,21 +25,30 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --allow-natives-syntax --expose-gc
+// Flags: --expose-gc
+// Hold descriptors in c
var o = {};
-var o2 = {};
-
o.a = 1;
-o2.a = 1;
-function f() { return 10; }
-// Adds a non-field enumerable property.
-Object.defineProperty(o, "b", { get: f, enumerable: true });
-Object.defineProperty(o2, "b", { get: f, enumerable: true });
-assertTrue(%HaveSameMap(o, o2));
o.c = 2;
-for (var x in o) { }
-o = null;
+// Create non-owning function transition
+var o1 = {};
+o1.a = 1;
+for (var x in o1) { }
+o1.b = function() { return 1; };
+// Return ownership to o.a
+o = null;
gc();
+
+// Convert function transition to map transition
+var o2 = {};
+o2.a = 1;
+o2.b = 10;
+
+// Iterate over .a
+var o3 = {};
+o3.a = 1;
+
+for (var y in o3) { }
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
