From f1d057dfecdbe1a2154a17199754bc6b6877ea93 Mon Sep 17 00:00:00 2001
From: "kaznacheev@chromium.org"
 <kaznacheev@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Fri, 1 Oct 2010 12:40:30 +0000
Subject: [PATCH] Fix property array length calculation in
 TransformPropertiesToFastFor.

It was silently assumed that inobject_properties value is not too large.
Recent introduction of inobject slack tracking made the assumption false
and debug tests with no snapshot failed.

Review URL: http://codereview.chromium.org/3584004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5575 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/objects.cc b/src/objects.cc
index 737bf57..e21de0b 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -8719,6 +8719,11 @@ Object* StringDictionary::TransformPropertiesToFastFor(
   int inobject_props = obj->map()->inobject_properties();
   int number_of_allocated_fields =
       number_of_fields + unused_property_fields - inobject_props;
+  if (number_of_allocated_fields < 0) {
+    // There is enough inobject space for all fields (including unused).
+    number_of_allocated_fields = 0;
+    unused_property_fields = inobject_props - number_of_fields;
+  }
 
   // Allocate the fixed array for the fields.
   Object* fields = Heap::AllocateFixedArray(number_of_allocated_fields);
-- 
2.7.4