[heap] Fix verification of unsafe object layout changes.

src/runtime/runtime-object.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/runtime/runtime-utils.h"
 
 #include "src/arguments.h"
 #include "src/bootstrapper.h"
 #include "src/debug/debug.h"
 #include "src/isolate-inl.h"
@@ skipping 112 matching lines @@
   }
 
   // Fall back to GetObjectProperty.
   return Runtime::GetObjectProperty(isolate, receiver_obj, key_obj);
 }
 
 namespace {
 
 bool DeleteObjectPropertyFast(Isolate* isolate, Handle<JSReceiver> receiver,
                               Handle<Object> raw_key) {
+  DisallowHeapAllocation no_allocation;
   // This implements a special case for fast property deletion: when the
   // last property in an object is deleted, then instead of normalizing
   // the properties, we can undo the last map transition, with a few
   // prerequisites:
   // (1) The receiver must be a regular object and the key a unique name.
   Map* map = receiver->map();
   if (map->IsSpecialReceiverMap()) return false;
   if (!raw_key->IsUniqueName()) return false;
   Handle<Name> key = Handle<Name>::cast(raw_key);
   // (2) The property to be deleted must be the last property.
@@ skipping 10 matching lines @@
   if (!backpointer->IsMap()) return false;
   // (5) The last transition must have been caused by adding a property
   // (and not any kind of special transition).
   if (Map::cast(backpointer)->NumberOfOwnDescriptors() != nof - 1) return false;
 
   // Preconditions successful. No more bailouts after this point.
 
   // Zap the property to avoid keeping objects alive. Zapping is not necessary
   // for properties stored in the descriptor array.
   if (details.location() == kField) {
+    isolate->heap()->NotifyObjectLayoutChange(*receiver, no_allocation);
     Object* filler = isolate->heap()->one_pointer_filler_map();
     FieldIndex index = FieldIndex::ForPropertyIndex(map, details.field_index());
     JSObject::cast(*receiver)->RawFastPropertyAtPut(index, filler);
     // We must clear any recorded slot for the deleted property, because
     // subsequent object modifications might put a raw double there.
     // Slot clearing is the reason why this entire function cannot currently
     // be implemented in the DeleteProperty stub.
     if (index.is_inobject() && !map->IsUnboxedDoubleField(index)) {
       isolate->heap()->ClearRecordedSlot(
           *receiver, HeapObject::RawField(*receiver, index.offset()));
@@ skipping 943 matching lines @@
   // While iteration alone may not have observable side-effects, calling
   // toNumber on an object will. Make sure the arg is not an array of objects.
   ElementsKind kind = JSObject::cast(*obj)->GetElementsKind();
   if (!IsFastNumberElementsKind(kind)) return isolate->heap()->ToBoolean(false);
 
   return isolate->heap()->ToBoolean(!obj->IterationHasObservableEffects());
 }
 
 }  // namespace internal
 }  // namespace v8