Initialize pre-allocated fields of JSObject with undefined.

src/heap.cc

Index: src/heap.cc
diff --git a/src/heap.cc b/src/heap.cc
index 8c9ebe3ec48e82faac4f51b2c509532c0676d41b..46b26528b4a5490bd715dd7d11f8425540c6ad05 100644
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -3339,20 +3339,24 @@ void Heap::InitializeJSObjectFromMap(JSObject* obj,
   // fixed array (eg, Heap::empty_fixed_array()).  Currently, the object
   // verification code has to cope with (temporarily) invalid objects.  See
   // for example, JSArray::JSArrayVerify).
-  Object* filler;
+
   // We cannot always fill with one_pointer_filler_map because objects
   // created from API functions expect their internal fields to be initialized
   // with undefined_value.
+  // Pre-allocated fields need to be initialized with undefined_value as well
+  // so that object accesses before the constructor completes (e.g. in the
+  // debugger) will not cause a crash.
   if (map->constructor()->IsJSFunction() &&
       JSFunction::cast(map->constructor())->shared()->
           IsInobjectSlackTrackingInProgress()) {
     // We might want to shrink the object later.
     ASSERT(obj->GetInternalFieldCount() == 0);
-    filler = Heap::one_pointer_filler_map();
+    obj->InitializeBody(map,
+                        Heap::undefined_value(),
+                        Heap::one_pointer_filler_map());
   } else {
-    filler = Heap::undefined_value();
+    obj->InitializeBody(map, Heap::undefined_value(), Heap::undefined_value());

[Vyacheslav Egorov (Chromium), 2011/09/16 15:33:05]

Can be moved outside of the if to avoid code duplication:

obj->InitializeBody(map, Heap::undefined_value(), filler);

   }
-  obj->InitializeBody(map->instance_size(), filler);
 }