Revision: 13482
Author: [email protected]
Date: Wed Jan 23 08:28:41 2013
Log: Merged r13480, r13481 into trunk branch.
Always fail when trying to store to an undeclared global variable, even if
it was found.
Fix corner case when JSFunction is evicted from flusher.
BUG=chromium:168801
[email protected]
Review URL: https://codereview.chromium.org/12040042
http://code.google.com/p/v8/source/detail?r=13482
Added:
/trunk/test/cctest/test-global-object.cc
Modified:
/trunk/src/ic.cc
/trunk/src/ic.h
/trunk/src/mark-compact.cc
/trunk/src/stub-cache.cc
/trunk/src/version.cc
/trunk/test/cctest/cctest.gyp
/trunk/test/cctest/test-heap.cc
=======================================
--- /dev/null
+++ /trunk/test/cctest/test-global-object.cc Wed Jan 23 08:28:41 2013
@@ -0,0 +1,51 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "v8.h"
+
+#include "cctest.h"
+
+using namespace v8;
+
+// This test fails if properties on the prototype of the global object
appear
+// as declared globals.
+TEST(StrictUndeclaredGlobalVariable) {
+ HandleScope scope;
+ v8::Local<v8::String> var_name = v8_str("x");
+ LocalContext context;
+ v8::TryCatch try_catch;
+ v8::Local<v8::Script> script = v8_compile("\"use strict\"; x = 42;");
+ v8::Handle<v8::Object> proto = v8::Object::New();
+ v8::Handle<v8::Object> global =
+ context->Global()->GetPrototype().As<v8::Object>();
+ proto->Set(var_name, v8_num(100));
+ global->SetPrototype(proto);
+ script->Run();
+ CHECK(try_catch.HasCaught());
+ v8::String::Utf8Value exception(try_catch.Exception());
+ CHECK_EQ("ReferenceError: x is not defined", *exception);
+}
=======================================
--- /trunk/src/ic.cc Wed Jan 23 05:46:53 2013
+++ /trunk/src/ic.cc Wed Jan 23 08:28:41 2013
@@ -542,7 +542,7 @@
if (!lookup.IsFound()) {
// If the object does not have the requested property, check which
// exception we need to throw.
- return IsContextual(object)
+ return IsUndeclaredGlobal(object)
? ReferenceError("not_defined", name)
: TypeError("undefined_method", object, name);
}
@@ -561,7 +561,7 @@
if (lookup.IsInterceptor() && attr == ABSENT) {
// If the object does not have the requested property, check which
// exception we need to throw.
- return IsContextual(object)
+ return IsUndeclaredGlobal(object)
? ReferenceError("not_defined", name)
: TypeError("undefined_method", object, name);
}
@@ -933,7 +933,7 @@
// If we did not find a property, check if we need to throw an exception.
if (!lookup.IsFound()) {
- if (IsContextual(object)) {
+ if (IsUndeclaredGlobal(object)) {
return ReferenceError("not_defined", name);
}
LOG(isolate(), SuspectReadEvent(*name, *object));
@@ -952,7 +952,7 @@
RETURN_IF_EMPTY_HANDLE(isolate(), result);
// If the property is not present, check if we need to throw an
// exception.
- if (attr == ABSENT && IsContextual(object)) {
+ if (attr == ABSENT && IsUndeclaredGlobal(object)) {
return ReferenceError("not_defined", name);
}
return *result;
@@ -1390,11 +1390,8 @@
if (FLAG_use_ic) {
UpdateStoreCaches(&lookup, state, strict_mode, receiver, name,
value);
}
- } else if (strict_mode == kStrictMode &&
- !lookup.IsFound() &&
- IsContextual(object)) {
- // Strict mode doesn't allow setting non-existent global property
- // or an assignment to a read only property.
+ } else if (strict_mode == kStrictMode && IsUndeclaredGlobal(object)) {
+ // Strict mode doesn't allow setting non-existent global property.
return ReferenceError("not_defined", name);
}
=======================================
--- /trunk/src/ic.h Wed Jan 23 05:46:53 2013
+++ /trunk/src/ic.h Wed Jan 23 08:28:41 2013
@@ -110,16 +110,16 @@
// Returns if this IC is for contextual (no explicit receiver)
// access to properties.
- bool IsContextual(Handle<Object> receiver) {
+ bool IsUndeclaredGlobal(Handle<Object> receiver) {
if (receiver->IsGlobalObject()) {
- return SlowIsContextual();
+ return SlowIsUndeclaredGlobal();
} else {
- ASSERT(!SlowIsContextual());
+ ASSERT(!SlowIsUndeclaredGlobal());
return false;
}
}
- bool SlowIsContextual() {
+ bool SlowIsUndeclaredGlobal() {
return ComputeMode() == RelocInfo::CODE_TARGET_CONTEXT;
}
=======================================
--- /trunk/src/mark-compact.cc Fri Jan 18 08:29:40 2013
+++ /trunk/src/mark-compact.cc Wed Jan 23 08:28:41 2013
@@ -943,8 +943,7 @@
void CodeFlusher::EvictCandidate(SharedFunctionInfo* shared_info) {
- // The function is no longer a candidate, make sure it gets visited
- // again so that previous flushing decisions are revisited.
+ // Make sure previous flushing decisions are revisited.
isolate_->heap()->incremental_marking()->RecordWrites(shared_info);
SharedFunctionInfo* candidate = shared_function_info_candidates_head_;
@@ -974,9 +973,9 @@
ASSERT(!function->next_function_link()->IsUndefined());
Object* undefined = isolate_->heap()->undefined_value();
- // The function is no longer a candidate, make sure it gets visited
- // again so that previous flushing decisions are revisited.
+ // Make sure previous flushing decisions are revisited.
isolate_->heap()->incremental_marking()->RecordWrites(function);
+
isolate_->heap()->incremental_marking()->RecordWrites(function->shared());
JSFunction* candidate = jsfunction_candidates_head_;
JSFunction* next_candidate;
=======================================
--- /trunk/src/stub-cache.cc Wed Jan 23 05:46:53 2013
+++ /trunk/src/stub-cache.cc Wed Jan 23 08:28:41 2013
@@ -1057,7 +1057,7 @@
// can't use either LoadIC or KeyedLoadIC constructors.
IC ic(IC::NO_EXTRA_FRAME, Isolate::Current());
ASSERT(ic.target()->is_load_stub() || ic.target()->is_keyed_load_stub());
- if (!ic.SlowIsContextual()) return HEAP->undefined_value();
+ if (!ic.SlowIsUndeclaredGlobal()) return HEAP->undefined_value();
// Throw a reference error.
HandleScope scope;
=======================================
--- /trunk/src/version.cc Wed Jan 23 05:46:53 2013
+++ /trunk/src/version.cc Wed Jan 23 08:28:41 2013
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 16
#define BUILD_NUMBER 8
-#define PATCH_LEVEL 0
+#define PATCH_LEVEL 1
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
=======================================
--- /trunk/test/cctest/cctest.gyp Mon Nov 12 06:53:34 2012
+++ /trunk/test/cctest/cctest.gyp Wed Jan 23 08:28:41 2013
@@ -69,6 +69,7 @@
'test-fixed-dtoa.cc',
'test-flags.cc',
'test-func-name-inference.cc',
+ 'test-global-object.cc',
'test-hashing.cc',
'test-hashmap.cc',
'test-heap.cc',
=======================================
--- /trunk/test/cctest/test-heap.cc Mon Jan 21 06:39:38 2013
+++ /trunk/test/cctest/test-heap.cc Wed Jan 23 08:28:41 2013
@@ -2778,3 +2778,57 @@
AlwaysAllocateScope aa_scope;
v8::Script::Compile(mote_code_string)->Run();
}
+
+
+TEST(Regress168801) {
+ i::FLAG_always_compact = true;
+ i::FLAG_cache_optimized_code = false;
+ i::FLAG_allow_natives_syntax = true;
+ i::FLAG_flush_code_incrementally = true;
+ InitializeVM();
+ v8::HandleScope scope;
+
+ // Perform one initial GC to enable code flushing.
+ HEAP->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask);
+
+ // Ensure the code ends up on an evacuation candidate.
+ SimulateFullSpace(HEAP->code_space());
+
+ // Prepare an unoptimized function that is eligible for code flushing.
+ Handle<JSFunction> function;
+ {
+ HandleScope inner_scope;
+ CompileRun("function mkClosure() {"
+ " return function(x) { return x + 1; };"
+ "}"
+ "var f = mkClosure();"
+ "f(1); f(2);");
+
+ Handle<JSFunction> f =
+ v8::Utils::OpenHandle(
+ *v8::Handle<v8::Function>::Cast(
+ v8::Context::GetCurrent()->Global()->Get(v8_str("f"))));
+ CHECK(f->is_compiled());
+ const int kAgingThreshold = 6;
+ for (int i = 0; i < kAgingThreshold; i++) {
+ f->shared()->code()->MakeOlder(static_cast<MarkingParity>(i % 2));
+ }
+
+ function = inner_scope.CloseAndEscape(handle(*f, ISOLATE));
+ }
+
+ // Simulate incremental marking so that unoptimized function is enqueued
as a
+ // candidate for code flushing. The shared function info however will
not be
+ // explicitly enqueued.
+ SimulateIncrementalMarking();
+
+ // Now optimize the function so that it is taken off the candidate list.
+ {
+ HandleScope inner_scope;
+ CompileRun("%OptimizeFunctionOnNextCall(f); f(3);");
+ }
+
+ // This cycle will bust the heap and subsequent cycles will go ballistic.
+ HEAP->CollectAllGarbage(Heap::kNoGCFlags);
+ HEAP->CollectAllGarbage(Heap::kNoGCFlags);
+}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
