[v8-dev] Fix PathTracer. (issue 300753002)

Tue, 27 May 2014 02:37:26 -0700 

Reviewers: Michael Starzinger,

Description:
Fix PathTracer.

When tracing, we abuse the map for marking, thereby mutating it.
FixedTypedArrayBase::size() uses the object's map, which causes crash.

[email protected]

Please review this at https://codereview.chromium.org/300753002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+14, -5 lines):
  M src/objects.h
  M src/objects-inl.h


Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index 31ebbb18c8a42bf0399208099e20ac7f910c2d8c..f17540af484ce2e3b95e31f43ead0dbb4862fa60 100644 
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -3673,8 +3673,8 @@ void* FixedTypedArrayBase::DataPtr() {
 }


-int FixedTypedArrayBase::DataSize() {
-  InstanceType instance_type = map()->instance_type();
+int FixedTypedArrayBase::DataSizeFromMap(Map* map) {
+  InstanceType instance_type = map->instance_type();
   int element_size;
   switch (instance_type) {
#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) \ 
@@ -3693,7 +3693,12 @@ int FixedTypedArrayBase::DataSize() {


 int FixedTypedArrayBase::size() {
-  return OBJECT_POINTER_ALIGN(kDataOffset + DataSize());
+  return OBJECT_POINTER_ALIGN(kDataOffset + DataSizeFromMap(map()));
+}
+
+
+int FixedTypedArrayBase::SizeFromMap(Map* map) {
+  return OBJECT_POINTER_ALIGN(kDataOffset + DataSizeFromMap(map));
 }


@@ -3951,7 +3956,7 @@ int HeapObject::SizeFromMap(Map* map) {
   }
   if (instance_type >= FIRST_FIXED_TYPED_ARRAY_TYPE &&
       instance_type <= LAST_FIXED_TYPED_ARRAY_TYPE) {
-    return reinterpret_cast<FixedTypedArrayBase*>(this)->size();
+    return reinterpret_cast<FixedTypedArrayBase*>(this)->SizeFromMap(map);
   }
   ASSERT(instance_type == CODE_TYPE);
   return reinterpret_cast<Code*>(this)->CodeSize();
Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index 8ef7f20231f5e5a0d77bae8321462db95affe69e..ac1a33750a6eeee0eb89519e57a5165ec9ad7ee8 100644 
--- a/src/objects.h
+++ b/src/objects.h
@@ -5077,12 +5077,16 @@ class FixedTypedArrayBase: public FixedArrayBase {

   inline int size();

+  inline int SizeFromMap(Map* map);
+
   // Use with care: returns raw pointer into heap.
   inline void* DataPtr();

-  inline int DataSize();
+  inline int DataSize() { return DataSizeFromMap(map()); }

  private:
+  inline int DataSizeFromMap(Map* map);
+
   DISALLOW_IMPLICIT_CONSTRUCTORS(FixedTypedArrayBase);
 };



--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to