From 11a831f12bcbfaf35cf2c9b49e80a45d8efca1ee Mon Sep 17 00:00:00 2001
From: hpayer <hpayer@chromium.org>
Date: Wed, 8 Jul 2015 09:08:31 -0700
Subject: [PATCH] Verify that double unboxing is never performed on large
 objects.

BUG=

Review URL: https://codereview.chromium.org/1214673007

Cr-Commit-Position: refs/heads/master@{#29538}
---
 src/heap/spaces.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/heap/spaces.cc b/src/heap/spaces.cc
index 0806b25..dfaac73 100644
--- a/src/heap/spaces.cc
+++ b/src/heap/spaces.cc
@@ -3046,6 +3046,11 @@ void LargeObjectSpace::Verify() {
     CHECK(map->IsMap());
     CHECK(heap()->map_space()->Contains(map));
 
+    // Double unboxing in LO space is not allowed. This would break the
+    // lookup mechanism for store and slot buffer entries which use the
+    // page header tag.
+    CHECK(object->ContentType() != HeapObjectContents::kMixedValues);
+
     // We have only code, sequential strings, external strings
     // (sequential strings that have been morphed into external
     // strings), fixed arrays, byte arrays, and constant pool arrays in the
-- 
2.7.4