src/objects.cc - Issue 1263543004: Fix prototype registration upon SlowToFast migration

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 1263543004: Fix prototype registration upon SlowToFast migration (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index 06d05f4f2357621f5d4dca9d8cfec52759efbe08..fbf5ef5f535ca55195bc937b4771cfc3ed7e660b 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -4644,20 +4644,32 @@ void JSObject::MigrateSlowToFast(Handle<JSObject> object,

}

- int inobject_props = object->map()->inobject_properties();

+ Handle<Map> old_map(object->map(), isolate);

+ int inobject_props = old_map->inobject_properties();

// Allocate new map.

- Handle<Map> new_map = Map::CopyDropDescriptors(handle(object->map()));

+ Handle<Map> new_map = Map::CopyDropDescriptors(old_map);

new_map->set_dictionary_map(false);

- if (object->map()->is_prototype_map()) {

+ if (old_map->is_prototype_map() && FLAG_track_prototype_users) {

DCHECK(new_map->is_prototype_map());

- new_map->set_prototype_info(object->map()->prototype_info());

- object->map()->set_prototype_info(Smi::FromInt(0));

+ Object* maybe_old_prototype = old_map->prototype();

+ if (maybe_old_prototype->IsJSObject()) {

Jakob Kummerow 2015/07/28 15:14:19 This if-block is new; the other changes are just r

+ Handle<JSObject> old_prototype(JSObject::cast(maybe_old_prototype));

+ bool was_registered =

+ JSObject::UnregisterPrototypeUser(old_prototype, old_map);

+ if (was_registered) {

+ JSObject::LazyRegisterPrototypeUser(new_map, isolate);

+ }

+ new_map->set_prototype_info(old_map->prototype_info());

+ old_map->set_prototype_info(Smi::FromInt(0));

if (FLAG_trace_prototype_users) {

PrintF("Moving prototype_info %p from map %p to map %p.\n",

reinterpret_cast<void*>(new_map->prototype_info()),

- reinterpret_cast<void*>(object->map()),

+ reinterpret_cast<void*>(*old_map),

reinterpret_cast<void*>(*new_map));

}

@@ -4665,8 +4677,8 @@ void JSObject::MigrateSlowToFast(Handle<JSObject> object,

#if TRACE_MAPS

if (FLAG_trace_maps) {

PrintF("[TraceMaps: SlowToFast from= %p to= %p reason= %s ]\n",

- reinterpret_cast<void*>(object->map()),

- reinterpret_cast<void*>(*new_map), reason);

+ reinterpret_cast<void*>(*old_map), reinterpret_cast<void*>(*new_map),

+ reason);

}

#endif

« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-513602.js » ('j') | no next file with comments »