Fix crashes during GC caused by partially initialized objects. The...

src/arm/stub-cache-arm.cc

 // Copyright 2006-2009 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 2884 matching lines @@
   __ DecrementCounter(&Counters::keyed_store_field, 1, r3, r4);
   Handle<Code> ic(Builtins::builtin(Builtins::KeyedStoreIC_Miss));
 
   __ Jump(ic, RelocInfo::CODE_TARGET);
 
   // Return the generated code.
   return GetCode(transition == NULL ? FIELD : MAP_TRANSITION, name);
 }
 
 
-MaybeObject* ConstructStubCompiler::CompileConstructStub(
-    SharedFunctionInfo* shared) {
+MaybeObject* ConstructStubCompiler::CompileConstructStub(JSFunction* function) {
   // ----------- S t a t e -------------
   //  -- r0    : argc
   //  -- r1    : constructor
   //  -- lr    : return address
   //  -- [sp]  : last argument
   // -----------------------------------
   Label generic_stub_call;
 
   // Use r7 for holding undefined which is used in several places below.
   __ LoadRoot(r7, Heap::kUndefinedValueRootIndex);
@@ skipping 63 matching lines @@
 
   // Fill all the in-object properties with undefined.
   // r0: argc
   // r1: first argument
   // r3: object size (in words)
   // r4: JSObject (not tagged)
   // r5: First in-object property of JSObject (not tagged)
   // r7: undefined
   // Fill the initialized properties with a constant value or a passed argument
   // depending on the this.x = ...; assignment in the function.
+  SharedFunctionInfo* shared = function->shared();
   for (int i = 0; i < shared->this_property_assignments_count(); i++) {
     if (shared->IsThisPropertyAssignmentArgument(i)) {
       Label not_passed, next;
       // Check if the argument assigned to the property is actually passed.
       int arg_number = shared->GetThisPropertyAssignmentArgument(i);
       __ cmp(r0, Operand(arg_number));
       __ b(le, &not_passed);
       // Argument passed - find it on the stack.
       __ ldr(r2, MemOperand(r1, (arg_number + 1) * -kPointerSize));
       __ str(r2, MemOperand(r5, kPointerSize, PostIndex));
       __ b(&next);
       __ bind(&not_passed);
       // Set the property to undefined.
       __ str(r7, MemOperand(r5, kPointerSize, PostIndex));
       __ bind(&next);
     } else {
       // Set the property to the constant value.
       Handle<Object> constant(shared->GetThisPropertyAssignmentConstant(i));
       __ mov(r2, Operand(constant));
       __ str(r2, MemOperand(r5, kPointerSize, PostIndex));
     }
   }
 
   // Fill the unused in-object property fields with undefined.
+  ASSERT(function->has_initial_map());
   for (int i = shared->this_property_assignments_count();
-       i < shared->CalculateInObjectProperties();
+       i < function->initial_map()->inobject_properties();
        i++) {
       __ str(r7, MemOperand(r5, kPointerSize, PostIndex));
   }
 
   // r0: argc
   // r4: JSObject (not tagged)
   // Move argc to r1 and the JSObject to return to r0 and tag it.
   __ mov(r1, r0);
   __ mov(r0, r4);
   __ orr(r0, r0, Operand(kHeapObjectTag));
@@ skipping 17 matching lines @@
   // Return the generated code.
   return GetCode();
 }
 
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_ARM