Revision: 9498
Author: [email protected]
Date: Fri Sep 30 06:03:48 2011
Log: Fix map modification in transition tree traversal.
While traversing the transition tree we build a work-list using the map
field of maps. Setting those map values with a write barrier causes
black-to-gray changes on maps which are currently not recognized as
such, hence their computed size might be off.
[email protected]
BUG=v8:1672
TEST=cctest/test-decls/Present
Review URL: http://codereview.chromium.org/8082023
http://code.google.com/p/v8/source/detail?r=9498
Modified:
/branches/bleeding_edge/src/objects-inl.h
/branches/bleeding_edge/src/objects.cc
/branches/bleeding_edge/src/objects.h
=======================================
--- /branches/bleeding_edge/src/objects-inl.h Fri Sep 30 01:39:56 2011
+++ /branches/bleeding_edge/src/objects-inl.h Fri Sep 30 06:03:48 2011
@@ -1237,6 +1237,12 @@
value->GetHeap()->incremental_marking()->RecordWrite(this, NULL,
value);
}
}
+
+
+// Unsafe accessor omitting write barrier.
+void HeapObject::set_map_unsafe(Map* value) {
+ set_map_word(MapWord::FromMap(value));
+}
MapWord HeapObject::map_word() {
=======================================
--- /branches/bleeding_edge/src/objects.cc Mon Sep 26 09:54:50 2011
+++ /branches/bleeding_edge/src/objects.cc Fri Sep 30 06:03:48 2011
@@ -4474,7 +4474,7 @@
// of the next map and recording the index in the transition
array in
// the map field of the array.
Map* next = Map::cast(contents->get(i));
- next->set_map(current);
+ next->set_map_unsafe(current);
*map_or_index_field = Smi::FromInt(i + 2);
current = next;
map_done = false;
@@ -4499,7 +4499,7 @@
Object* perhaps_map = prototype_transitions->get(i);
if (perhaps_map->IsMap()) {
Map* next = Map::cast(perhaps_map);
- next->set_map(current);
+ next->set_map_unsafe(current);
*proto_map_or_index_field =
Smi::FromInt(i + kProtoTransitionElementsPerEntry);
current = next;
@@ -4515,7 +4515,7 @@
// the map field, which is being used to track the traversal and put
the
// correct map (the meta_map) in place while we do the callback.
Map* prev = current->map();
- current->set_map(meta_map);
+ current->set_map_unsafe(meta_map);
callback(current, data);
current = prev;
}
=======================================
--- /branches/bleeding_edge/src/objects.h Fri Sep 30 01:39:56 2011
+++ /branches/bleeding_edge/src/objects.h Fri Sep 30 06:03:48 2011
@@ -1127,6 +1127,7 @@
// information.
inline Map* map();
inline void set_map(Map* value);
+ inline void set_map_unsafe(Map* value);
// During garbage collection, the map word of a heap object does not
// necessarily contain a map pointer.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
