Reviewers: Toon Verwaest,
Message:
per our discussion...
Description:
Gcstress bug fix: Transition arrays may get smaller during gc.
Please review this at https://codereview.chromium.org/234873004/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+18, -11 lines):
M src/objects-inl.h
M src/transitions.h
M src/transitions.cc
Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index
524dfbe698734edc85ea34d63ba2b8aaa00fb1b6..b89b31dd736883743b07569373277885880c7a3e
100644
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4969,8 +4969,7 @@ static void EnsureHasTransitionArray(Handle<Map> map)
{
transitions = TransitionArray::Allocate(map->GetIsolate(), 0);
transitions->set_back_pointer_storage(map->GetBackPointer());
} else if (!map->transitions()->IsFullTransitionArray()) {
- transitions = TransitionArray::ExtendToFullTransitionArray(
- handle(map->transitions()));
+ transitions = TransitionArray::ExtendToFullTransitionArray(map);
} else {
return;
}
Index: src/transitions.cc
diff --git a/src/transitions.cc b/src/transitions.cc
index
dc0a307cf077a54560883af20a9005dd980bd9a9..2397fc138f762ec5157b801ab82bdc107efdcd78
100644
--- a/src/transitions.cc
+++ b/src/transitions.cc
@@ -86,17 +86,23 @@ Handle<TransitionArray>
TransitionArray::NewWith(Handle<Map> map,
Handle<TransitionArray> TransitionArray::ExtendToFullTransitionArray(
- Handle<TransitionArray> array) {
- ASSERT(!array->IsFullTransitionArray());
- int nof = array->number_of_transitions();
- Handle<TransitionArray> result = Allocate(array->GetIsolate(), nof);
-
- if (nof == 1) {
+ Handle<Map> containing_map) {
+ ASSERT(!containing_map->transitions()->IsFullTransitionArray());
+ int nof = containing_map->transitions()->number_of_transitions();
+
+ // A transition array may shrink during GC.
+ Handle<TransitionArray> result = Allocate(containing_map->GetIsolate(),
nof);
+ int new_nof = containing_map->transitions()->number_of_transitions();
+ if (new_nof != nof) {
+ ASSERT(new_nof == 0);
+ result->Shrink(ToKeyIndex(0));
+ } else if (nof == 1) {
result->NoIncrementalWriteBarrierCopyFrom(
- *array, kSimpleTransitionIndex, 0);
+ containing_map->transitions(), kSimpleTransitionIndex, 0);
}
- result->set_back_pointer_storage(array->back_pointer_storage());
+ result->set_back_pointer_storage(
+ containing_map->transitions()->back_pointer_storage());
return result;
}
Index: src/transitions.h
diff --git a/src/transitions.h b/src/transitions.h
index
0c1acf8633b33182211040130cf05cf51902562a..e0ec8a01e7724f30ff1e883d9cec34d1cbe8543a
100644
--- a/src/transitions.h
+++ b/src/transitions.h
@@ -95,8 +95,10 @@ class TransitionArray: public FixedArray {
inline int number_of_entries() { return number_of_transitions(); }
+ // Creates a FullTransitionArray from a SimpleTransitionArray in
+ // containing_map.
static Handle<TransitionArray> ExtendToFullTransitionArray(
- Handle<TransitionArray> array);
+ Handle<Map> containing_map);
// Create a transition array, copying from the owning map if it already
has
// one, otherwise creating a new one according to flag.
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
