Reviewers: Rico,
Message:
Please review.
Description:
Fix FixedDoubleArray crashes in chromebot
[email protected]
BUG=non
TEST=running urls from reliability bots
Please review this at http://codereview.chromium.org/7497010/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/heap-inl.h
M src/heap.h
M src/heap.cc
Index: src/heap-inl.h
diff --git a/src/heap-inl.h b/src/heap-inl.h
index
b0b4fbe2dcbd45f0a7a437e956efbf74004f0927..b08655c7edcbf72115f10b4820624a5550df1d26
100644
--- a/src/heap-inl.h
+++ b/src/heap-inl.h
@@ -142,6 +142,11 @@ MaybeObject* Heap::CopyFixedArray(FixedArray* src) {
}
+MaybeObject* Heap::CopyFixedDoubleArray(FixedDoubleArray* src) {
+ return CopyFixedDoubleArrayWithMap(src, src->map());
+}
+
+
MaybeObject* Heap::AllocateRaw(int size_in_bytes,
AllocationSpace space,
AllocationSpace retry_space) {
Index: src/heap.cc
diff --git a/src/heap.cc b/src/heap.cc
index
8dbda270fe3644d6647db538d05b67274e19aacf..c04fd0e3ab0d46a4507c9098cf63f3ef9ed55251
100644
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -3388,14 +3388,20 @@ MaybeObject* Heap::CopyJSObject(JSObject* source) {
object_size);
}
- FixedArray* elements = FixedArray::cast(source->elements());
+ FixedArrayBase* elements = FixedArrayBase::cast(source->elements());
FixedArray* properties = FixedArray::cast(source->properties());
// Update elements if necessary.
if (elements->length() > 0) {
Object* elem;
- { MaybeObject* maybe_elem =
- (elements->map() == fixed_cow_array_map()) ?
- elements : CopyFixedArray(elements);
+ { MaybeObject* maybe_elem;
+ if (elements->map() == fixed_cow_array_map()) {
+ maybe_elem = FixedArray::cast(elements);
+ } else if (source->HasFastDoubleElements()) {
+ maybe_elem =
+ CopyFixedDoubleArray(FixedDoubleArray::cast(elements));
+ } else {
+ maybe_elem = CopyFixedArray(FixedArray::cast(elements));
+ }
if (!maybe_elem->ToObject(&elem)) return maybe_elem;
}
JSObject::cast(clone)->set_elements(FixedArray::cast(elem));
@@ -3757,6 +3763,23 @@ MaybeObject* Heap::CopyFixedArrayWithMap(FixedArray*
src, Map* map) {
}
+MaybeObject* Heap::CopyFixedDoubleArrayWithMap(FixedDoubleArray* src,
+ Map* map) {
+ int len = src->length();
+ Object* obj;
+ { MaybeObject* maybe_obj = AllocateRawFixedDoubleArray(len,
+ NOT_TENURED);
+ if (!maybe_obj->ToObject(&obj)) return maybe_obj;
+ }
+ HeapObject* dst = HeapObject::cast(obj);
+ dst->set_map(map);
+ CopyBlock(dst->address() + kPointerSize,
+ src->address() + kPointerSize,
+ FixedDoubleArray::SizeFor(len) - kPointerSize);
+ return obj;
+}
+
+
MaybeObject* Heap::AllocateFixedArray(int length) {
ASSERT(length >= 0);
if (length == 0) return empty_fixed_array();
Index: src/heap.h
diff --git a/src/heap.h b/src/heap.h
index
6cd4f840b93e4abfcd052e2ab71392dda182b2b1..a7a24b0c9eab7afdf8b0f54344167f3e7e480e36
100644
--- a/src/heap.h
+++ b/src/heap.h
@@ -617,6 +617,16 @@ class Heap {
// Failure::RetryAfterGC(requested_bytes, space) if the allocation
failed.
MUST_USE_RESULT MaybeObject* CopyFixedArrayWithMap(FixedArray* src, Map*
map);
+ // Make a copy of src and return it. Returns
+ // Failure::RetryAfterGC(requested_bytes, space) if the allocation
failed.
+ MUST_USE_RESULT inline MaybeObject* CopyFixedDoubleArray(
+ FixedDoubleArray* src);
+
+ // Make a copy of src, set the map, and return the copy. Returns
+ // Failure::RetryAfterGC(requested_bytes, space) if the allocation
failed.
+ MUST_USE_RESULT MaybeObject* CopyFixedDoubleArrayWithMap(
+ FixedDoubleArray* src, Map* map);
+
// Allocates a fixed array initialized with the hole values.
// Returns Failure::RetryAfterGC(requested_bytes, space) if the
allocation
// failed.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
