From 6fd0e691567397fb3a4c670e5e7ed8dd617e279e Mon Sep 17 00:00:00 2001
From: "verwaest@chromium.org"
 <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 28 Sep 2012 10:15:58 +0000
Subject: [PATCH] Restore the descriptor array before returning allocation
 failure.

BUG=chromium:151750

Review URL: https://chromiumcodereview.appspot.com/10989076

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/objects.cc b/src/objects.cc
index f11dfcf..e772d54 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1782,8 +1782,11 @@ MaybeObject* JSObject::ConvertTransitionToMapTransition(
 
     old_target->SetBackPointer(GetHeap()->undefined_value());
     MaybeObject* maybe_failure = old_target->SetDescriptors(old_descriptors);
-    if (maybe_failure->IsFailure()) return maybe_failure;
+    // Reset the backpointer before returning failure, otherwise the map ends up
+    // with an undefined backpointer and no descriptors, losing its own
+    // descriptors. Setting the backpointer always succeeds.
     old_target->SetBackPointer(old_map);
+    if (maybe_failure->IsFailure()) return maybe_failure;
 
     old_map->set_owns_descriptors(true);
   }
-- 
2.7.4