From: jarin@chromium.org <jarin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 23 Apr 2014 09:21:24 +0000 (+0000)
Subject: Avoid setting transitions in-place for cached maps when observed
X-Git-Tag: upstream/4.7.83~9488
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=783eb25a8c86a97ef8d54b16bba97aa74176f2d1;p=platform%2Fupstream%2Fv8.git

Avoid setting transitions in-place for cached maps when observed

R=verwaest@chromium.org
BUG=

Review URL: https://codereview.chromium.org/246523004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20900 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/objects.cc b/src/objects.cc
index 48f9625..ba5280e 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -5816,7 +5816,7 @@ void JSObject::SetObserved(Handle<JSObject> object) {
   if (transition_index != TransitionArray::kNotFound) {
     new_map = handle(old_map->GetTransition(transition_index), isolate);
     ASSERT(new_map->is_observed());
-  } else if (old_map->CanHaveMoreTransitions()) {
+  } else if (object->HasFastProperties() && old_map->CanHaveMoreTransitions()) {
     new_map = Map::CopyForObserved(old_map);
   } else {
     new_map = Map::Copy(old_map);
diff --git a/test/mjsunit/regress/regress-observe-map-cache.js b/test/mjsunit/regress/regress-observe-map-cache.js
new file mode 100644
index 0000000..4c7a7e3
--- /dev/null
+++ b/test/mjsunit/regress/regress-observe-map-cache.js
@@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+function f() {
+  var x = new Array(0);
+  x[-1] = -1;
+  Object.observe(x, function() { });
+}
+
+f();
+f();