[v8-dev] [v8] r17397 committed - The Elements pointer in a JSObject can have a filler map instead of a...

Fri, 25 Oct 2013 05:27:54 -0700 

Revision: 17397
Author:   [email protected]
Date:     Fri Oct 25 12:26:47 2013 UTC
Log: The Elements pointer in a JSObject can have a filler map instead of a 
valid fixed array, iff a gc occurred while allocating a fixed array as
part of array construction. Heap verification needs protection against
examining the elements object in this case.

[email protected]

Review URL: https://codereview.chromium.org/43383004
http://code.google.com/p/v8/source/detail?r=17397

Modified:
 /branches/bleeding_edge/src/objects-debug.cc
 /branches/bleeding_edge/src/objects-inl.h
 /branches/bleeding_edge/src/objects.h
 /branches/bleeding_edge/test/mjsunit/mjsunit.status

=======================================
--- /branches/bleeding_edge/src/objects-debug.cc Mon Oct 14 13:35:06 2013 UTC +++ /branches/bleeding_edge/src/objects-debug.cc Fri Oct 25 12:26:47 2013 UTC 
@@ -335,9 +335,7 @@

   // If a GC was caused while constructing this object, the elements
   // pointer may point to a one pointer filler map.
-  if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
-      (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map())) {
+  if (ElementsAreSafeToExamine()) {
     CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
               (elements() == GetHeap()->empty_fixed_array())),
              (elements()->map() == GetHeap()->fixed_array_map() ||
@@ -698,9 +696,7 @@
   CHECK(length()->IsNumber() || length()->IsUndefined());
   // If a GC was caused while constructing this array, the elements
   // pointer may point to a one pointer filler map.
-  if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
-      (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map())) {
+  if (ElementsAreSafeToExamine()) {
     CHECK(elements()->IsUndefined() ||
           elements()->IsFixedArray() ||
           elements()->IsFixedDoubleArray());
@@ -1141,6 +1137,13 @@

   PrintF("\n");
 }
+
+
+bool JSObject::ElementsAreSafeToExamine() {
+  return (FLAG_use_gvn && FLAG_use_allocation_folding) ||
+      reinterpret_cast<Map*>(elements()) !=
+      GetHeap()->one_pointer_filler_map();
+}


 bool DescriptorArray::IsSortedNoDuplicates(int valid_entries) {
=======================================
--- /branches/bleeding_edge/src/objects-inl.h   Fri Oct 25 11:10:28 2013 UTC
+++ /branches/bleeding_edge/src/objects-inl.h   Fri Oct 25 12:26:47 2013 UTC
@@ -5516,19 +5516,24 @@
 #if DEBUG
   FixedArrayBase* fixed_array =
       reinterpret_cast<FixedArrayBase*>(READ_FIELD(this, kElementsOffset));
-  Map* map = fixed_array->map();
-  ASSERT((IsFastSmiOrObjectElementsKind(kind) &&
-          (map == GetHeap()->fixed_array_map() ||
-           map == GetHeap()->fixed_cow_array_map())) ||
-         (IsFastDoubleElementsKind(kind) &&
-          (fixed_array->IsFixedDoubleArray() ||
-           fixed_array == GetHeap()->empty_fixed_array())) ||
-         (kind == DICTIONARY_ELEMENTS &&
+
+  // If a GC was caused while constructing this object, the elements
+  // pointer may point to a one pointer filler map.
+  if (ElementsAreSafeToExamine()) {
+    Map* map = fixed_array->map();
+    ASSERT((IsFastSmiOrObjectElementsKind(kind) &&
+            (map == GetHeap()->fixed_array_map() ||
+             map == GetHeap()->fixed_cow_array_map())) ||
+           (IsFastDoubleElementsKind(kind) &&
+            (fixed_array->IsFixedDoubleArray() ||
+             fixed_array == GetHeap()->empty_fixed_array())) ||
+           (kind == DICTIONARY_ELEMENTS &&
             fixed_array->IsFixedArray() &&
-          fixed_array->IsDictionary()) ||
-         (kind > DICTIONARY_ELEMENTS));
-  ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
-         (elements()->IsFixedArray() && elements()->length() >= 2));
+            fixed_array->IsDictionary()) ||
+           (kind > DICTIONARY_ELEMENTS));
+    ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
+           (elements()->IsFixedArray() && elements()->length() >= 2));
+  }
 #endif
   return kind;
 }
=======================================
--- /branches/bleeding_edge/src/objects.h       Thu Oct 24 10:50:35 2013 UTC
+++ /branches/bleeding_edge/src/objects.h       Fri Oct 25 12:26:47 2013 UTC
@@ -2590,6 +2590,11 @@
   };

   void IncrementSpillStatistics(SpillInformation* info);
+
+ // If a GC was caused while constructing this object, the elements pointer 
+  // may point to a one pointer filler map. The object won't be rooted, but
+  // our heap verification code could stumble across it.
+  bool ElementsAreSafeToExamine();
 #endif
   Object* SlowReverseLookup(Object* value);

=======================================
--- /branches/bleeding_edge/test/mjsunit/mjsunit.status Fri Oct 25 08:57:50 2013 UTC +++ /branches/bleeding_edge/test/mjsunit/mjsunit.status Fri Oct 25 12:26:47 2013 UTC 
@@ -33,9 +33,6 @@
   # TODO(mvstanton) Re-enable when the performance is bearable again.
   'regress/regress-2185-2': [SKIP],

-  # TODO(mvstanton) Re-enable when the bug is fixed.
-  'regress/regress-2612': [PASS, ['mode == debug', SKIP]],
-
############################################################################## 
   # Fails.
   'regress/regress-1119': [FAIL],

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to