From 11484e7e9b83564a0e0f08f02dae9e81c9fc5910 Mon Sep 17 00:00:00 2001 From: titzer Date: Mon, 10 Jul 2017 06:49:34 -0700 Subject: [PATCH] [wasm] Improve precision of slow DCHECK for WebAssembly-constructed internal objects. BUG=chromium:740325 R=ahaas@chromium.org,mlippautz@chromium.org Review-Url: https://codereview.chromium.org/2972353002 Cr-Commit-Position: refs/heads/master@{#46518} --- src/objects.cc | 17 ++++--- test/mjsunit/asm/regress-740325.js | 71 ++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 6 deletions(-) create mode 100644 test/mjsunit/asm/regress-740325.js diff --git a/src/objects.cc b/src/objects.cc index 246bd09fd3..7bf9a83f75 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -15851,23 +15851,28 @@ bool JSObject::WasConstructedFromApiFunction() { auto instance_type = map()->instance_type(); bool is_api_object = instance_type == JS_API_OBJECT_TYPE || instance_type == JS_SPECIAL_API_OBJECT_TYPE; + bool is_wasm_object = + instance_type == WASM_MEMORY_TYPE || instance_type == WASM_MODULE_TYPE || + instance_type == WASM_INSTANCE_TYPE || instance_type == WASM_TABLE_TYPE; #ifdef ENABLE_SLOW_DCHECKS if (FLAG_enable_slow_asserts) { Object* maybe_constructor = map()->GetConstructor(); if (maybe_constructor->IsJSFunction()) { JSFunction* constructor = JSFunction::cast(maybe_constructor); - if (constructor->shared()->IsApiFunction()) { - DCHECK(is_api_object); - } else { - DCHECK(!is_api_object); - } + DCHECK_EQ(constructor->shared()->IsApiFunction(), + is_api_object || is_wasm_object); } else if (maybe_constructor->IsFunctionTemplateInfo()) { - DCHECK(is_api_object); + DCHECK(is_api_object || is_wasm_object); } else { return false; } } #endif + // TODO(titzer): Clean this up somehow. WebAssembly objects should not be + // considered "constructed from API functions" even though they have + // function template info, since that would make the V8 GC identify them to + // the embedder, e.g. the Oilpan GC. + USE(is_wasm_object); return is_api_object; } diff --git a/test/mjsunit/asm/regress-740325.js b/test/mjsunit/asm/regress-740325.js new file mode 100644 index 0000000000..9377aaeea0 --- /dev/null +++ b/test/mjsunit/asm/regress-740325.js @@ -0,0 +1,71 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --expose-gc + +assertTrue = function assertTrue() { } +assertFalse = function assertFalse() { } + +__v_3 = []; +__v_2 = []; +__v_0 = 0; +__v_2.__defineGetter__(0, function() { + if (__v_0++ > 2) return; + gc(); + __v_3.concat(__v_2); +}); +__v_2[0]; + + +function __f_2() { +} + +(function __f_1() { + print("1..."); + function __f_5(stdlib, imports) { + "use asm"; + var __f_2 = imports.__f_2; + function __f_3(a) { + a = a | 0; + } + return { __f_3:__f_3 }; + } + var __v_2 = __f_5(this, { __f_2:__f_2 }); +; +})(); + +(function __f_10() { + print("2..."); + function __f_5() { + "use asm"; + function __f_3(a) { + } + } + var __v_2 = __f_5(); + assertFalse(); +})(); + +(function __f_11() { + print("3..."); + let m = (function __f_6() { + function __f_5() { + "use asm"; + function __f_3() { + } + return { __f_3:__f_3 }; + } + var __v_2 = __f_5( { __f_2:__f_2 }); + }); + for (var i = 0; i < 30; i++) { + print(" i = " + i); + var x = m(); + for (var j = 0; j < 200; j++) { + try { + __f_5; + } catch (e) { + } + } + x; + } +})();