[wasm] Improve precision of slow DCHECK for WebAssembly-constructed internal objects.

BUG=chromium:740325 R=ahaas@chromium.org,mlippautz@chromium.org Review-Url: https://codereview.chromium.org/2972353002 Cr-Commit-Position: refs/heads/master@{#46518}
2017-07-10 06:49:34 -07:00 · 2017-07-10 06:49:34 -07:00 · 11484e7e9b
commit 11484e7e9b
parent bb881c8880
2 changed files with 82 additions and 6 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -15851,23 +15851,28 @@ bool JSObject::WasConstructedFromApiFunction() {
  auto instance_type = map()->instance_type();
  bool is_api_object = instance_type == JS_API_OBJECT_TYPE ||
                       instance_type == JS_SPECIAL_API_OBJECT_TYPE;
+  bool is_wasm_object =
+      instance_type == WASM_MEMORY_TYPE || instance_type == WASM_MODULE_TYPE ||
+      instance_type == WASM_INSTANCE_TYPE || instance_type == WASM_TABLE_TYPE;
 #ifdef ENABLE_SLOW_DCHECKS
  if (FLAG_enable_slow_asserts) {
    Object* maybe_constructor = map()->GetConstructor();
    if (maybe_constructor->IsJSFunction()) {
      JSFunction* constructor = JSFunction::cast(maybe_constructor);
-      if (constructor->shared()->IsApiFunction()) {
-        DCHECK(is_api_object);
-      } else {
-        DCHECK(!is_api_object);
-      }
+      DCHECK_EQ(constructor->shared()->IsApiFunction(),
+                is_api_object || is_wasm_object);
    } else if (maybe_constructor->IsFunctionTemplateInfo()) {
-      DCHECK(is_api_object);
+      DCHECK(is_api_object || is_wasm_object);
    } else {
      return false;
    }
  }
 #endif
+  // TODO(titzer): Clean this up somehow. WebAssembly objects should not be
+  // considered "constructed from API functions" even though they have
+  // function template info, since that would make the V8 GC identify them to
+  // the embedder, e.g. the Oilpan GC.
+  USE(is_wasm_object);
  return is_api_object;
 }

--- a/test/mjsunit/asm/regress-740325.js
+++ b/test/mjsunit/asm/regress-740325.js
@ -0,0 +1,71 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+assertTrue = function assertTrue() { }
+assertFalse = function assertFalse() { }
+
+__v_3 = [];
+__v_2 = [];
+__v_0 = 0;
+__v_2.__defineGetter__(0, function() {
+  if (__v_0++ > 2) return;
+  gc();
+  __v_3.concat(__v_2);
+});
+__v_2[0];
+
+
+function __f_2() {
+}
+
+(function __f_1() {
+  print("1...");
+  function __f_5(stdlib, imports) {
+    "use asm";
+    var __f_2 = imports.__f_2;
+    function __f_3(a) {
+      a = a | 0;
+    }
+    return { __f_3:__f_3 };
+  }
+  var __v_2 = __f_5(this, { __f_2:__f_2 });
+;
+})();
+
+(function __f_10() {
+  print("2...");
+  function __f_5() {
+    "use asm";
+    function __f_3(a) {
+    }
+  }
+  var __v_2 = __f_5();
+  assertFalse();
+})();
+
+(function __f_11() {
+  print("3...");
+  let m = (function __f_6() {
+    function __f_5() {
+      "use asm";
+      function __f_3() {
+      }
+      return { __f_3:__f_3 };
+    }
+    var __v_2 = __f_5( { __f_2:__f_2 });
+  });
+  for (var i = 0; i < 30; i++) {
+    print("  i = " + i);
+    var x = m();
+    for (var j = 0; j < 200; j++) {
+      try {
+        __f_5;
+      } catch (e) {
+      }
+    }
+    x;
+  }
+})();