Make new space iterable when transitioning double array to objects

src/ia32/codegen-ia32.cc

Index: src/ia32/codegen-ia32.cc
diff --git a/src/ia32/codegen-ia32.cc b/src/ia32/codegen-ia32.cc
index 350a8fb2242a8a5f6ae66ddb9e518a930d90e77c..a22f36950a91cd60cf0a658e3b7e3a8cdaa4fbd0 100644
--- a/src/ia32/codegen-ia32.cc
+++ b/src/ia32/codegen-ia32.cc
@@ -783,7 +783,8 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   //  -- edx    : receiver
   //  -- esp[0] : return address
   // -----------------------------------
-  Label loop, entry, convert_hole, gc_required, only_change_map, success;
+  Label loop, entry, convert_hole, gc_required, gc_cleanup, only_change_map,
+      success;
 
   if (mode == TRACK_ALLOCATION_SITE) {
     __ JumpIfJSArrayHasAllocationMemento(edx, edi, fail);
@@ -829,8 +830,16 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
                       OMIT_SMI_CHECK);
   __ jmp(&success);
 
-  // Call into runtime if GC is required.
+  __ bind(&gc_cleanup);
+#ifdef VERIFY_HEAP
+  // Make sure new space is iterable if we are verifying the heap.
+  __ mov(edx, masm->isolate()->factory()->one_pointer_filler_map());
+  __ mov(FieldOperand(eax, ebx, times_2, FixedArray::kHeaderSize), edx);
+  __ sub(ebx, Immediate(Smi::FromInt(1)));
+  __ j(not_sign, &gc_cleanup);
+#endif
   __ bind(&gc_required);
+  // Call into runtime if GC is required.
   __ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
   __ pop(ebx);
   __ pop(edx);
@@ -847,7 +856,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   __ j(equal, &convert_hole);
 
   // Non-hole double, copy value into a heap number.
-  __ AllocateHeapNumber(edx, esi, no_reg, &gc_required);
+  __ AllocateHeapNumber(edx, esi, no_reg, &gc_cleanup);
   // edx: new heap number
   if (CpuFeatures::IsSupported(SSE2)) {
     CpuFeatureScope fscope(masm, SSE2);