Fix property array length calculation in TransformPropertiesToFastFor.

It was silently assumed that inobject_properties value is not too large.
Recent introduction of inobject slack tracking made the assumption false
and debug tests with no snapshot failed.

Review URL: http://codereview.chromium.org/3584004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5575 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/objects.cc b/src/objects.cc
index 737bf57..e21de0b 100644 (file)
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -8719,6 +8719,11 @@ Object* StringDictionary::TransformPropertiesToFastFor(
   int inobject_props = obj->map()->inobject_properties();
   int number_of_allocated_fields =
       number_of_fields + unused_property_fields - inobject_props;
+  if (number_of_allocated_fields < 0) {
+    // There is enough inobject space for all fields (including unused).
+    number_of_allocated_fields = 0;
+    unused_property_fields = inobject_props - number_of_fields;
+  }
 
   // Allocate the fixed array for the fields.
   Object* fields = Heap::AllocateFixedArray(number_of_allocated_fields);