Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(470)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/runtime.cc

Issue 11566027: Object.oberve: assertions to narrow down flaky crashes with array length mutation. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Addressing comment Created 8 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/objects-inl.h ('k') | test/mjsunit/harmony/object-observe.js » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index badcaabf1a434c6e2640c0a1052d7f1731a65cc1..c44a18396b19417dda787abe0a6f85fc4cb6d325 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -4376,6 +4376,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_TransitionElementsSmiToDouble) {
Handle<Object> object = args.at<Object>(0);
if (object->IsJSObject()) {
Handle<JSObject> js_object(Handle<JSObject>::cast(object));
+ ASSERT(!js_object->map()->is_observed());
ElementsKind new_kind = js_object->HasFastHoleyElements()
? FAST_HOLEY_DOUBLE_ELEMENTS
: FAST_DOUBLE_ELEMENTS;
@@ -4392,6 +4393,7 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_TransitionElementsDoubleToObject) {
Handle<Object> object = args.at<Object>(0);
if (object->IsJSObject()) {
Handle<JSObject> js_object(Handle<JSObject>::cast(object));
+ ASSERT(!js_object->map()->is_observed());
ElementsKind new_kind = js_object->HasFastHoleyElements()
? FAST_HOLEY_ELEMENTS
: FAST_ELEMENTS;
@@ -13487,19 +13489,21 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_SetIsObserved) {
ASSERT(proto->IsJSGlobalObject());
obj = JSReceiver::cast(proto);
}
+ ASSERT(!(obj->map()->is_observed() && obj->IsJSObject() &&
+ JSObject::cast(obj)->HasFastElements()));
if (obj->map()->is_observed() != is_observed) {
- MaybeObject* maybe = obj->map()->Copy();
- Map* map;
- if (!maybe->To(&map)) return maybe;
- map->set_is_observed(is_observed);
- obj->set_map(map);
if (is_observed && obj->IsJSObject() &&
!JSObject::cast(obj)->HasExternalArrayElements()) {
// Go to dictionary mode, so that we don't skip map checks.
- maybe = JSObject::cast(obj)->NormalizeElements();
+ MaybeObject* maybe = JSObject::cast(obj)->NormalizeElements();
if (maybe->IsFailure()) return maybe;
ASSERT(!JSObject::cast(obj)->HasFastElements());
}
+ MaybeObject* maybe = obj->map()->Copy();
+ Map* map;
+ if (!maybe->To(&map)) return maybe;
+ map->set_is_observed(is_observed);
+ obj->set_map(map);
}
return isolate->heap()->undefined_value();
}
« no previous file with comments | « src/objects-inl.h ('k') | test/mjsunit/harmony/object-observe.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698