| Index: src/objects-inl.h
|
| diff --git a/src/objects-inl.h b/src/objects-inl.h
|
| index 02542612b86c9e66654ba45b4fc08aa0190a8ef0..ba0a7f87bc3664b56b7f98a7c54cd9a9d9fc39ae 100644
|
| --- a/src/objects-inl.h
|
| +++ b/src/objects-inl.h
|
| @@ -1490,7 +1490,7 @@ MaybeObject* JSObject::AddFastPropertyUsingMap(Map* map) {
|
| bool JSObject::TryTransitionToField(Handle<JSObject> object,
|
| Handle<Name> key) {
|
| if (!object->map()->HasTransitionArray()) return false;
|
| - Handle<TransitionArray> transitions(object->map()->transitions());
|
| + TransitionArray* transitions = object->map()->transitions();
|
| int transition = transitions->Search(*key);
|
| if (transition == TransitionArray::kNotFound) return false;
|
| PropertyDetails target_details = transitions->GetTargetDetails(transition);
|
| @@ -4125,9 +4125,12 @@ TransitionArray* Map::transitions() {
|
|
|
| void Map::set_transitions(TransitionArray* transition_array,
|
| WriteBarrierMode mode) {
|
| - // In release mode, only run this code if verify_heap is on.
|
| - if (Heap::ShouldZapGarbage() && HasTransitionArray()) {
|
| - CHECK(transitions() != transition_array);
|
| + // Transition arrays are not shared. When one is replaced, it should not
|
| + // keep referenced objects alive, so we zap it.
|
| + // When there is another reference to the array somewhere (e.g. a handle),
|
| + // not zapping turns from a waste of memory into a source of crashes.
|
| + if (HasTransitionArray()) {
|
| + ASSERT(transitions() != transition_array);
|
| ZapTransitions();
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 12843031:
Merged r14063, r14064 into trunk branch. (Closed)
Base URL: https://v8.googlecode.com/svn/trunk