[v8-dev] Do not install fillers when right trimming large objects. (issue 487703002 by [email protected])

Tue, 19 Aug 2014 01:12:04 -0700 

Reviewers: jarin, Michael Starzinger,

Description:
Do not install fillers when right trimming large objects.

BUG=

Please review this at https://codereview.chromium.org/487703002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+8, -5 lines):
  M src/heap/heap.cc
  A + test/mjsunit/regress/regress-404981.js


Index: src/heap/heap.cc
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index fd08c8292f812c8c3084fb699eb9f65dcc98b4a7..5d3bde4592c991844f1f024c7ab7cb391702d2e7 100644 
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3321,7 +3321,6 @@ void Heap::RightTrimFixedArray(FixedArrayBase* object, int elements_to_trim) { 
   const int bytes_to_trim = elements_to_trim * element_size;

   // For now this trick is only applied to objects in new and paged space.
-  DCHECK(!lo_space()->Contains(object));
   DCHECK(object->map() != fixed_cow_array_map());

   const int len = object->length();
@@ -3333,7 +3332,12 @@ void Heap::RightTrimFixedArray(FixedArrayBase* object, int elements_to_trim) { 
   // Technically in new space this write might be omitted (except for
   // debug mode which iterates through the heap), but to play safer
   // we still do it.
-  CreateFillerObjectAt(new_end, bytes_to_trim);
+  // We do not create a filler for objects in large object space.
+  // TODO(hpayer): We should shrink the large object page if the size
+  // of the object changed significantly.
+  if (!lo_space()->Contains(object)) {
+    CreateFillerObjectAt(new_end, bytes_to_trim);
+  }

   // Initialize header of the trimmed array. We are storing the new length
   // using release store after creating a filler for the left-over space to
Index: test/mjsunit/regress/regress-404981.js
diff --git a/test/mjsunit/regress/regress-349870.js b/test/mjsunit/regress/regress-404981.js 
similarity index 72%
copy from test/mjsunit/regress/regress-349870.js
copy to test/mjsunit/regress/regress-404981.js
index 72df05524bf1ccbcc8e4201512238e6f99e3fdea..5508d6fea710c12b931621eabc9fd61e4ab28517 100644 
--- a/test/mjsunit/regress/regress-349870.js
+++ b/test/mjsunit/regress/regress-404981.js
@@ -2,6 +2,5 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-var r = /x/;
-Object.freeze(r);
-r.compile("x");
+var large_object = new Array(5000001);
+large_object.length = 23;


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to