[v8-dev] Mark HStringCompareAndBranch as potentially causing GCs. (issue 22933006)

Fri, 16 Aug 2013 06:37:43 -0700 

Reviewers: Hannes Payer,

Description:
Mark HStringCompareAndBranch as potentially causing GCs.

This also adds a %SetAllocationTimout runtime function which helps to
write regression tests that need to trigger a GC at a certain point in
program execution.

[email protected]
BUG=chromium:274438
TEST=mjsunit/regress/regress-crbug-274438

Please review this at https://codereview.chromium.org/22933006/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/heap.h
  M src/heap.cc
  M src/hydrogen-instructions.h
  M src/runtime.h
  M src/runtime.cc
  A + test/mjsunit/regress/regress-crbug-274438.js


Index: src/heap.cc
diff --git a/src/heap.cc b/src/heap.cc
index 9d8a6fad9954d96eb3576d25a90630a29277d794..623ec31e20fca8169ba724e5be33a5f736511a34 100644 
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -4013,10 +4013,10 @@ MaybeObject* Heap::AllocateByteArray(int length, PretenureFlag pretenure) { 
     return AllocateByteArray(length);
   }
   int size = ByteArray::SizeFor(length);
+  AllocationSpace space =
+      (size > Page::kMaxNonCodeHeapObjectSize) ? LO_SPACE : OLD_DATA_SPACE;
   Object* result;
-  { MaybeObject* maybe_result = (size <= Page::kMaxNonCodeHeapObjectSize)
-                   ? old_data_space_->AllocateRaw(size)
-                   : lo_space_->AllocateRaw(size, NOT_EXECUTABLE);
+  { MaybeObject* maybe_result = AllocateRaw(size, space, space);
     if (!maybe_result->ToObject(&result)) return maybe_result;
   }

Index: src/heap.h
diff --git a/src/heap.h b/src/heap.h
index 78c0e5b26b410a2cb6a22e17464cc8bd35d7f7b7..e0ffa63e9abdf8678925b12cef99b154ef76163a 100644 
--- a/src/heap.h
+++ b/src/heap.h
@@ -1490,6 +1490,10 @@ class Heap {
inline bool IsInGCPostProcessing() { return gc_post_processing_depth_ > 0; } 

 #ifdef DEBUG
+  void set_allocation_timeout(int timeout) {
+    allocation_timeout_ = timeout;
+  }
+
   bool disallow_allocation_failure() {
     return disallow_allocation_failure_;
   }
Index: src/hydrogen-instructions.h
diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h
index 41f9d0d5ccdecae37ed1cf08206f09136a6f8476..10a311125a9c4be301f3881ff2c728cab6349056 100644 
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@@ -4081,6 +4081,7 @@ class HStringCompareAndBranch: public HTemplateControlInstruction<2, 3> { 
     SetOperandAt(1, left);
     SetOperandAt(2, right);
     set_representation(Representation::Tagged());
+    SetGVNFlag(kChangesNewSpacePromotion);
   }

   HValue* context() { return OperandAt(0); }
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index 10de6f9e5ec001c595a0b86632599f9be9a22074..655304470b1a0e0b1a12027004012c07198e1f19 100644 
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -8635,6 +8635,19 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_CompileForOnStackReplacement) { 
 }


+RUNTIME_FUNCTION(MaybeObject*, Runtime_SetAllocationTimeout) {
+  SealHandleScope shs(isolate);
+  ASSERT(args.length() == 2);
+#ifdef DEBUG
+  CONVERT_SMI_ARG_CHECKED(interval, 0);
+  CONVERT_SMI_ARG_CHECKED(timeout, 1);
+  isolate->heap()->set_allocation_timeout(timeout);
+  FLAG_gc_interval = interval;
+#endif
+  return isolate->heap()->undefined_value();
+}
+
+
 RUNTIME_FUNCTION(MaybeObject*, Runtime_CheckIsBootstrapping) {
   SealHandleScope shs(isolate);
   RUNTIME_ASSERT(isolate->bootstrapper()->IsActive());
Index: src/runtime.h
diff --git a/src/runtime.h b/src/runtime.h
index 23e91f2ae9e9b64cdf19bd3ce3410e1082508980..a9a7d4a3e3d86963dbf9021ded7128a39bd776ef 100644 
--- a/src/runtime.h
+++ b/src/runtime.h
@@ -101,6 +101,7 @@ namespace internal {
   F(GetOptimizationStatus, -1, 1) \
   F(GetOptimizationCount, 1, 1) \
   F(CompileForOnStackReplacement, 1, 1) \
+  F(SetAllocationTimeout, 2, 1) \
   F(AllocateInNewSpace, 1, 1) \
   F(AllocateInOldPointerSpace, 1, 1) \
   F(AllocateInOldDataSpace, 1, 1) \
Index: test/mjsunit/regress/regress-crbug-274438.js
diff --git a/test/mjsunit/regress/regress-2489.js b/test/mjsunit/regress/regress-crbug-274438.js 
similarity index 89%
copy from test/mjsunit/regress/regress-2489.js
copy to test/mjsunit/regress/regress-crbug-274438.js
index 882c4f794a88e24d1d64e86a466b27c39f51e625..5d6817d129173955045334e4f5e872972ad84de6 100644 
--- a/test/mjsunit/regress/regress-2489.js
+++ b/test/mjsunit/regress/regress-crbug-274438.js
@@ -27,24 +27,17 @@

 // Flags: --allow-natives-syntax

-"use strict";
-
 function f(a, b) {
-  return g("c", "d");
-}
-
-function g(a, b) {
-  g.constructor.apply(this, arguments);
-}
-
-g.constructor = function(a, b) {
-  assertEquals("c", a);
-  assertEquals("d", b);
+  var x = { a:a };
+  switch(b) { case "string": }
+  var y = { b:b };
+  return y;
 }

 f("a", "b");
 f("a", "b");
 %OptimizeFunctionOnNextCall(f);
 f("a", "b");
-g.x = "deopt";
-f("a", "b");
+%SetAllocationTimeout(100, 0);
+var killer = f("bang", "bo" + "om");
+assertEquals("boom", killer.b);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to