src/objects-inl.h - Issue 11566027: Object.oberve: assertions to narrow down flaky crashes with array length mutation.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects-inl.h

Issue 11566027: Object.oberve: assertions to narrow down flaky crashes with array length mutation. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 8 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects-inl.h

diff --git a/src/objects-inl.h b/src/objects-inl.h

index d61d3da8c501cb33cc9f84d0bb9d9a9d4ac82159..50323d71c5748c0332c549f8a9855c7ece081d2e 100644

--- a/src/objects-inl.h

+++ b/src/objects-inl.h

@@ -1417,6 +1417,12 @@ void JSObject::initialize_elements() {

MaybeObject* JSObject::ResetElements() {

Object* obj;

+ Map* old_map = map();

+ bool is_observed = old_map->is_observed();

+ // Temporarily disable observation bit, so that invariant forbidding

+ // observation on fast elements isn't violated when transitioning below.

+ // If it was set, we first normalize and then reenable below.

+ if (is_observed) old_map->set_is_observed(false);

Michael Starzinger 2012/12/14 11:47:51 This modifies the old_map before a new one is allo

rossberg 2012/12/14 12:18:14 Indeed. This was way too ugly anyway. Removed use

ElementsKind elements_kind = GetInitialFastElementsKind();

if (!FLAG_smi_only_arrays) {

elements_kind = FastSmiToObjectElementsKind(elements_kind);

@@ -1426,12 +1432,14 @@ MaybeObject* JSObject::ResetElements() {

if (!maybe_obj->ToObject(&obj)) return maybe_obj;

set_map(Map::cast(obj));

initialize_elements();

- if (FLAG_harmony_observation && map()->is_observed()) {

+ if (is_observed) {

// Maintain invariant that observed elements are always in dictionary mode.

// For this to work on arrays, we have to make sure to reset length first.

if (IsJSArray()) JSArray::cast(this)->set_length(Smi::FromInt(0));

maybe_obj = NormalizeElements();

if (maybe_obj->IsFailure()) return maybe_obj;

+ old_map->set_is_observed(true);

+ map()->set_is_observed(true);

}

return this;

}

@@ -3362,6 +3370,9 @@ bool Map::owns_descriptors() {

void Map::set_is_observed(bool is_observed) {

+ ASSERT(instance_type() < FIRST_JS_OBJECT_TYPE ||

+ instance_type() > LAST_JS_OBJECT_TYPE ||

+ has_slow_elements_kind() || has_external_array_elements());

set_bit_field3(IsObserved::update(bit_field3(), is_observed));

}

« no previous file with comments | « src/objects-debug.cc ('k') | src/runtime.cc » ('j') | no next file with comments »