nodejs
diff --git a/Collapse file
‎deps/v8/include/v8-version.h‎
Copy file name to clipboardExpand all lines: deps/v8/include/v8-version.h
+1-1Lines changed: 1 addition & 1 deletion b/Collapse file
‎deps/v8/include/v8-version.h‎
Copy file name to clipboardExpand all lines: deps/v8/include/v8-version.h
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/Collapse file
‎deps/v8/src/objects.cc‎
Copy file name to clipboardExpand all lines: deps/v8/src/objects.cc
+10-3Lines changed: 10 additions & 3 deletions b/Collapse file
‎deps/v8/src/objects.cc‎
Copy file name to clipboardExpand all lines: deps/v8/src/objects.cc
+10-3Lines changed: 10 additions & 3 deletions
diff --git a/Collapse file
‎deps/v8/test/mjsunit/regress/regress-666046.js‎
Copy file name to clipboard
+57Lines changed: 57 additions & 0 deletions b/Collapse file
‎deps/v8/test/mjsunit/regress/regress-666046.js‎
Copy file name to clipboard
+57Lines changed: 57 additions & 0 deletions
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 5
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 500
-#define V8_PATCH_LEVEL 45
+#define V8_PATCH_LEVEL 46
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 
@@ -3449,9 +3449,16 @@ void MigrateFastToSlow(Handle<JSObject> object, Handle<Map> new_map,
   // Ensure that in-object space of slow-mode object does not contain random
   // garbage.
   int inobject_properties = new_map->GetInObjectProperties();
-  for (int i = 0; i < inobject_properties; i++) {
-    FieldIndex index = FieldIndex::ForPropertyIndex(*new_map, i);
-    object->RawFastPropertyAtPut(index, Smi::FromInt(0));
+  if (inobject_properties) {
+    Heap* heap = isolate->heap();
+    heap->ClearRecordedSlotRange(
+        object->address() + map->GetInObjectPropertyOffset(0),
+        object->address() + new_instance_size);
+
+    for (int i = 0; i < inobject_properties; i++) {
+      FieldIndex index = FieldIndex::ForPropertyIndex(*new_map, i);
+      object->RawFastPropertyAtPut(index, Smi::FromInt(0));
+    }
   }
 
   isolate->counters()->props_to_dictionary()->Increment();
 
@@ -0,0 +1,57 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+function P() {
+  this.a0 = {};
+  this.a1 = {};
+  this.a2 = {};
+  this.a3 = {};
+  this.a4 = {};
+}
+
+function A() {
+}
+
+var proto = new P();
+A.prototype = proto;
+
+function foo(o) {
+  return o.a0;
+}
+
+// Ensure |proto| is in old space.
+gc();
+gc();
+gc();
+
+// Ensure |proto| is marked as "should be fast".
+var o = new A();
+foo(o);
+foo(o);
+foo(o);
+assertTrue(%HasFastProperties(proto));
+
+// Contruct a double value that looks like a tagged pointer.
+var buffer = new ArrayBuffer(8);
+var int32view = new Int32Array(buffer);
+var float64view = new Float64Array(buffer);
+int32view[0] = int32view[1] = 0x40000001;
+var boom = float64view[0];
+
+
+// Write new space object.
+proto.a4 = {a: 0};
+// Immediately delete the field.
+delete proto.a4;
+
+// |proto| must sill be fast.
+assertTrue(%HasFastProperties(proto));
+
+// Add a double field instead of deleted a4 that looks like a tagged pointer.
+proto.boom = boom;
+
+// Boom!
+gc();