[v8-dev] Fix heap verifier for partially constructed arrays when allocation folding is off. (issue 23934008)

[hpayer]

Reviewers: mvstanton, Michael Starzinger,

Description:
Fix heap verifier for partially constructed arrays when allocation folding  
is
off.
BUG=

Please review this at https://codereview.chromium.org/23934008/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+14, -8 lines):
  M src/objects-debug.cc


Index: src/objects-debug.cc
diff --git a/src/objects-debug.cc b/src/objects-debug.cc
index  
3716df1e87cf6069dce0ab83d7564aa150b02d97..ba122bdde43d76e7230c04659ac286cdcda73d02  
100644
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -330,10 +330,13 @@ void JSObject::JSObjectVerify() {
     }
   }

-  // TODO(hpayer): deal gracefully with partially constructed JSObjects,  
when
-  // allocation folding is turned off.
-  if (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map()) {
+  if ((!FLAG_use_gvn || !FLAG_use_allocation_folding) &&
+      (reinterpret_cast<Map*>(elements()) ==
+      GetHeap()->one_pointer_filler_map())) {
+    // A GC was caused while constructing this object. This can just  
happen when
+    // allocation folding is turned off. The elements pointer may point to  
a
+    // filler map in that case.
+  } else {
     CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
               (elements() == GetHeap()->empty_fixed_array())),
              (elements()->map() == GetHeap()->fixed_array_map() ||
@@ -683,10 +686,13 @@ void Code::VerifyEmbeddedMapsDependency() {
 void JSArray::JSArrayVerify() {
   JSObjectVerify();
   CHECK(length()->IsNumber() || length()->IsUndefined());
-  // TODO(hpayer): deal gracefully with partially constructed JSObjects,  
when
-  // allocation folding is turned off.
-  if (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map()) {
+  if ((!FLAG_use_gvn || !FLAG_use_allocation_folding) &&
+      (reinterpret_cast<Map*>(elements()) ==
+      GetHeap()->one_pointer_filler_map())) {
+    // A GC was caused while constructing this array. This can just happen  
when
+    // allocation folding is turned off. The elements pointer may point to  
a
+    // filler map in that case.
+  } else {
     CHECK(elements()->IsUndefined() ||
           elements()->IsFixedArray() ||
           elements()->IsFixedDoubleArray());


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.