Revision: 12687
Author: [email protected]
Date: Wed Oct 10 05:29:44 2012
Log: Fix CNLT regression.
This happens when a map A with no descriptors in fast_holey_elements
mode first gets some properties, making it share descriptor arrays with
a map B to which it transitions. Then map A transitions elements kind to
dictionary_elements in map C. C stores the empty_descriptor_array in its
own transition array. When adding a property to C, C transitions to D
and shares the descriptors. If D dies, a CNLT clears the transition
array of C, making the descriptor array of A (and thus also of B) shine
through. If a property is now added to an object in state C, it'll inherit
all the properties of A (and B). If those properties had high field indices,
we do not have a large enough backing store for the single newly added
property, and we'll write out of bounds.
BUG=chromium:151749
Review URL: https://chromiumcodereview.appspot.com/11017054
http://code.google.com/p/v8/source/detail?r=12687
Added:
/branches/bleeding_edge/test/mjsunit/regress/regress-cnlt-elements.js
Modified:
/branches/bleeding_edge/src/objects-printer.cc
/branches/bleeding_edge/src/objects.cc
=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-cnlt-elements.js
Wed Oct 10 05:29:44 2012
@@ -0,0 +1,43 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --expose-gc
+
+var a = JSON.parse('{"b":1,"c":2,"d":3,"e":4}');
+var b = JSON.parse('{"12040200":1, "a":2, "b":2}');
+var c = JSON.parse('{"24050300":1}');
+b = null;
+gc();
+gc();
+c.a1 = 2;
+c.a2 = 2;
+c.a3 = 2;
+c.a4 = 2;
+c.a5 = 2;
+c.a6 = 2;
+c.a7 = 2;
+c.a8 = 2;
=======================================
--- /branches/bleeding_edge/src/objects-printer.cc Mon Aug 20 04:35:50 2012
+++ /branches/bleeding_edge/src/objects-printer.cc Wed Oct 10 05:29:44 2012
@@ -562,7 +562,12 @@
if (is_access_check_needed()) {
PrintF(out, " - access_check_needed\n");
}
- PrintF(out, " - instance descriptors: ");
+ PrintF(out, " - back pointer: ");
+ GetBackPointer()->ShortPrint(out);
+ PrintF(out, "\n - instance descriptors %i #%i %i: ",
+ owns_descriptors(),
+ NumberOfOwnDescriptors(),
+ StoresOwnDescriptors());
instance_descriptors()->ShortPrint(out);
if (HasTransitionArray()) {
PrintF(out, "\n - transitions: ");
=======================================
--- /branches/bleeding_edge/src/objects.cc Mon Oct 1 02:48:07 2012
+++ /branches/bleeding_edge/src/objects.cc Wed Oct 10 05:29:44 2012
@@ -5145,7 +5145,7 @@
ASSERT(new_map->NumberOfOwnDescriptors() == NumberOfOwnDescriptors());
new_map->set_elements_kind(kind);
- if (flag == INSERT_TRANSITION) {
+ if (flag == INSERT_TRANSITION && !HasElementsTransition()) {
// Map::Copy does not store the descriptor array in case it is empty,
since
// it does not insert a back pointer; implicitly indicating that its
// descriptor array is empty. Since in this case we do want to insert
a back
@@ -7563,16 +7563,6 @@
}
set_owns_descriptors(true);
}
-
- // If the final transition array does not contain any live transitions,
remove
- // the transition array from the map.
- if (transition_index == 0 &&
- !t->HasElementsTransition() &&
- !t->HasPrototypeTransitions() &&
- number_of_own_descriptors == 0) {
- ASSERT(owns_descriptors());
- return ClearTransitions(heap);
- }
int trim = t->number_of_transitions() - transition_index;
if (trim > 0) {
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
