Reviewers: Michael Starzinger,
Message:
PTAL
Description:
Also allow the empty object map to keep transitions.
With the old implementation, due to the map-check being inadequate, such
transitions were already added for cross-context field stores. It is not
necessary anymore to not store transitions, since we properly clear
non-live transitions. Globally enabling this feature will help find more
bugs.
BUG=v8:2518
[email protected]
Please review this at https://chromiumcodereview.appspot.com/12092063/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/isolate.h
M src/objects.cc
Index: src/isolate.h
diff --git a/src/isolate.h b/src/isolate.h
index
8ac85028791f53a58567a69c1a04f32999941181..e1d43d9ee0661d461d57c0ce6765aefd0017797f
100644
--- a/src/isolate.h
+++ b/src/isolate.h
@@ -531,11 +531,6 @@ class Isolate {
thread_local_top_.save_context_ = save;
}
- // Access to the map of "new Object()".
- Map* empty_object_map() {
- return context()->native_context()->object_function()->map();
- }
-
// Access to current thread id.
ThreadId thread_id() { return thread_local_top_.thread_id_; }
void set_thread_id(ThreadId id) { thread_local_top_.thread_id_ = id; }
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
0825b64c3367e5d2d92bcd5a8374b3ec616eef6e..c836aaadc8ad60d7b9777ef49214cae3cd125daa
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1601,10 +1601,7 @@ MaybeObject* JSObject::AddFastProperty(String* name,
if (!maybe_values->To(&values)) return maybe_values;
}
- // Only allow map transition if the object isn't the global object.
- TransitionFlag flag = isolate->empty_object_map() != map()
- ? INSERT_TRANSITION
- : OMIT_TRANSITION;
+ TransitionFlag flag = INSERT_TRANSITION;
Map* new_map;
MaybeObject* maybe_new_map = map()->CopyAddDescriptor(&new_field, flag);
@@ -1630,15 +1627,11 @@ MaybeObject* JSObject::AddConstantFunctionProperty(
// Allocate new instance descriptors with (name, function) added
ConstantFunctionDescriptor d(name, function, attributes, 0);
- Heap* heap = GetHeap();
TransitionFlag flag =
- // Do not add transitions to the empty object map (map of "new
Object()"),
- // nor to global objects.
- (map() == heap->isolate()->empty_object_map() || IsGlobalObject() ||
+ // Do not add transitions to global objects.
+ (IsGlobalObject() ||
// Don't add transitions to special properties with non-trivial
// attributes.
- // TODO(verwaest): Once we support attribute changes, these
transitions
- // should be kept as well.
attributes != NONE)
? OMIT_TRANSITION
: INSERT_TRANSITION;
@@ -1844,7 +1837,6 @@ MaybeObject*
JSObject::ConvertTransitionToMapTransition(
// This method should only be used to convert existing transitions.
Objects
// with the map of "new Object()" cannot have transitions in the first
place.
Map* new_map = map();
- ASSERT(new_map != GetIsolate()->empty_object_map());
// TODO(verwaest): From here on we lose existing map transitions, causing
// invalid back pointers. This will change once we can store multiple
@@ -2415,10 +2407,8 @@ MaybeObject*
JSObject::GetElementsTransitionMapSlow(ElementsKind to_kind) {
}
bool allow_store_transition =
- // Only remember the map transition if the object's map is NOT equal
to
- // the global object_function's map and there is not an already
existing
+ // Only remember the map transition if there is not an already
existing
// non-matching element transition.
- (GetIsolate()->empty_object_map() != map()) &&
!start_map->IsUndefined() && !start_map->is_shared() &&
IsFastElementsKind(from_kind);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
