Harden CopyJSObject.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/489833004

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24670 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index 7c1b2b2..931d55e 100644 (file)
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3716,12 +3716,14 @@ AllocationResult Heap::AllocateJSObject(JSFunction* constructor,
 
 
 AllocationResult Heap::CopyJSObject(JSObject* source, AllocationSite* site) {
-  // Never used to copy functions.  If functions need to be copied we
-  // have to be careful to clear the literals array.
-  SLOW_DCHECK(!source->IsJSFunction());
-
   // Make the clone.
   Map* map = source->map();
+
+  // We can only clone normal objects or arrays. Copying anything else
+  // will break invariants.
+  CHECK(map->instance_type() == JS_OBJECT_TYPE ||
+        map->instance_type() == JS_ARRAY_TYPE);
+
   int object_size = map->instance_size();
   HeapObject* clone;