Fix PathTracer.

When tracing, we abuse the map for marking, thereby mutating it. FixedTypedArrayBase::size() uses the object's map, which causes crash. R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/300753002 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21523 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2014-05-27 13:05:11 +00:00 · 2014-05-27 13:05:11 +00:00 · 1630b6d83c
commit 1630b6d83c
parent db8f7e0383
3 changed files with 31 additions and 5 deletions
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@ -3673,10 +3673,9 @@ void* FixedTypedArrayBase::DataPtr() {
 }


-int FixedTypedArrayBase::DataSize() {
-  InstanceType instance_type = map()->instance_type();
+int FixedTypedArrayBase::DataSize(InstanceType type) {
  int element_size;
-  switch (instance_type) {
+  switch (type) {
 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size)                       \
    case FIXED_##TYPE##_ARRAY_TYPE:                                           \
      element_size = size;                                                    \
@ -3692,11 +3691,21 @@ int FixedTypedArrayBase::DataSize() {
 }


+int FixedTypedArrayBase::DataSize() {
+  return DataSize(map()->instance_type());
+}
+
+
 int FixedTypedArrayBase::size() {
  return OBJECT_POINTER_ALIGN(kDataOffset + DataSize());
 }


+int FixedTypedArrayBase::TypedArraySize(InstanceType type) {
+  return OBJECT_POINTER_ALIGN(kDataOffset + DataSize(type));
+}
+
+
 uint8_t Uint8ArrayTraits::defaultValue() { return 0; }


@ -3918,7 +3927,7 @@ int HeapObject::SizeFromMap(Map* map) {
  int instance_size = map->instance_size();
  if (instance_size != kVariableSizeSentinel) return instance_size;
  // Only inline the most frequent cases.
-  int instance_type = static_cast<int>(map->instance_type());
+  InstanceType instance_type = map->instance_type();
  if (instance_type == FIXED_ARRAY_TYPE) {
    return FixedArray::BodyDescriptor::SizeOf(map, this);
  }
@ -3951,7 +3960,8 @@ int HeapObject::SizeFromMap(Map* map) {
  }
  if (instance_type >= FIRST_FIXED_TYPED_ARRAY_TYPE &&
      instance_type <= LAST_FIXED_TYPED_ARRAY_TYPE) {
-    return reinterpret_cast<FixedTypedArrayBase*>(this)->size();
+    return reinterpret_cast<FixedTypedArrayBase*>(
+        this)->TypedArraySize(instance_type);
  }
  ASSERT(instance_type == CODE_TYPE);
  return reinterpret_cast<Code*>(this)->CodeSize();
--- a/src/objects.h
+++ b/src/objects.h
@ -5077,12 +5077,16 @@ class FixedTypedArrayBase: public FixedArrayBase {

  inline int size();

+  inline int TypedArraySize(InstanceType type);
+
  // Use with care: returns raw pointer into heap.
  inline void* DataPtr();

  inline int DataSize();

 private:
+  inline int DataSize(InstanceType type);
+
  DISALLOW_IMPLICIT_CONSTRUCTORS(FixedTypedArrayBase);
 };

--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@ -4262,3 +4262,15 @@ TEST(ArrayShiftSweeping) {
  CHECK(page->WasSwept() ||
        Marking::IsBlack(Marking::MarkBitFrom(o->elements())));
 }
+
+
+#ifdef DEBUG
+TEST(PathTracer) {
+  CcTest::InitializeVM();
+  v8::HandleScope scope(CcTest::isolate());
+
+  v8::Local<v8::Value> result = CompileRun("'abc'");
+  Handle<Object> o = v8::Utils::OpenHandle(*result);
+  CcTest::i_isolate()->heap()->TracePathToObject(*o);
+}
+#endif  // DEBUG