Reviewers: Hannes Payer,
Message:
Committed patchset #2 manually as r19604 (tree was closed).
Description:
A JSArray may have a filler map in the elements pointer.
We already have code that expects this, but incorrectly asserted that the
filler map case would never happen when allocation folding is turned on.
However, even folding has it's limits, bailing out of continued folding
when the object size grows too large. Therefore, it's a general problem
when verifying JSArray objects, that we might encounter a filler map
in elements().
Discovered by ClusterFuzz crbug 347903.
[email protected]
LOG=N
BUG=347903
Committed: https://code.google.com/p/v8/source/detail?r=19604
Please review this at https://codereview.chromium.org/184493002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+22, -2 lines):
M src/objects-debug.cc
A test/mjsunit/regress/regress-crbug-347903.js
Index: src/objects-debug.cc
diff --git a/src/objects-debug.cc b/src/objects-debug.cc
index
d4cbef7d6a701f0afdae4b8df08830c019faa835..626ff00931a3be3841bc5b216aff90279875e35d
100644
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -264,8 +264,9 @@ void FixedTypedArray<Traits>::FixedTypedArrayVerify() {
bool JSObject::ElementsAreSafeToExamine() {
- return (FLAG_use_gvn && FLAG_use_allocation_folding) ||
- reinterpret_cast<Map*>(elements()) !=
+ // If a GC was caused while constructing this object, the elements
+ // pointer may point to a one pointer filler map.
+ return reinterpret_cast<Map*>(elements()) !=
GetHeap()->one_pointer_filler_map();
}
Index: test/mjsunit/regress/regress-crbug-347903.js
diff --git a/test/mjsunit/regress/regress-crbug-347903.js
b/test/mjsunit/regress/regress-crbug-347903.js
new file mode 100644
index
0000000000000000000000000000000000000000..b5174da0d07ee1dbfb71277248ce902235cf7f6f
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-347903.js
@@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --use-allocation-folding --verify-heap
+
+function f() {
+ var a = new Array(84632);
+ // Allocation folding will bail out trying to fold the elements alloc of
+ // array "b."
+ var b = new Array(84632);
+ var c = new Array(84632);
+ return [a, b, c];
+}
+f(); f();
+%OptimizeFunctionOnNextCall(f);
+for(var i = 0; i < 10; i++) {
+ f();
+}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
