From 783eb25a8c86a97ef8d54b16bba97aa74176f2d1 Mon Sep 17 00:00:00 2001 From: "jarin@chromium.org" Date: Wed, 23 Apr 2014 09:21:24 +0000 Subject: [PATCH] Avoid setting transitions in-place for cached maps when observed R=verwaest@chromium.org BUG= Review URL: https://codereview.chromium.org/246523004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20900 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects.cc | 2 +- test/mjsunit/regress/regress-observe-map-cache.js | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-observe-map-cache.js diff --git a/src/objects.cc b/src/objects.cc index 48f9625..ba5280e 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -5816,7 +5816,7 @@ void JSObject::SetObserved(Handle object) { if (transition_index != TransitionArray::kNotFound) { new_map = handle(old_map->GetTransition(transition_index), isolate); ASSERT(new_map->is_observed()); - } else if (old_map->CanHaveMoreTransitions()) { + } else if (object->HasFastProperties() && old_map->CanHaveMoreTransitions()) { new_map = Map::CopyForObserved(old_map); } else { new_map = Map::Copy(old_map); diff --git a/test/mjsunit/regress/regress-observe-map-cache.js b/test/mjsunit/regress/regress-observe-map-cache.js new file mode 100644 index 0000000..4c7a7e3 --- /dev/null +++ b/test/mjsunit/regress/regress-observe-map-cache.js @@ -0,0 +1,14 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --enable-slow-asserts + +function f() { + var x = new Array(0); + x[-1] = -1; + Object.observe(x, function() { }); +} + +f(); +f(); -- 2.7.4