Ensure root maps do not have slack in descriptor array

Drive-by-fix: enable heap verification in mksnapshot.

Bug: chromium:1025468
Change-Id: Ieb52d5139fa37df4ff0d8e8d46c3e0e6d14c2c8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924363
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65102}

BUILD.gn

@@ -1318,6 +1318,10 @@ template("run_mksnapshot") {
         args += [ "--no-enable-slow-asserts" ]
       }
     }
+
+    if (v8_enable_verify_heap) {
+      args += [ "--verify-heap" ]
+    }
   }
 }
 

src/diagnostics/objects-debug.cc

@@ -441,8 +441,20 @@ void Map::MapVerify(Isolate* isolate) {
   if (IsContextMap()) {
     CHECK(native_context().IsNativeContext());
   } else {
-    CHECK_IMPLIES(!GetBackPointer().IsUndefined(isolate),
-                  !Map::cast(GetBackPointer()).is_stable());
+    if (GetBackPointer().IsUndefined(isolate)) {
+      // Root maps must keep the ownership and there must be no descriptors
+      // in the descriptors array that do not belong to the map.
+      CHECK(owns_descriptors() || is_prototype_map());
+      CHECK_EQ(NumberOfOwnDescriptors(),
+               instance_descriptors().number_of_descriptors());
+      if (!is_prototype_map()) {
+        // There must be no slack in root maps' descriptors array.
+        CHECK_EQ(0, instance_descriptors().number_of_slack_descriptors());
+      }
+    } else {
+      // If there is a parent map it must be non-stable.
+      CHECK(!Map::cast(GetBackPointer()).is_stable());
+    }
   }
   SLOW_DCHECK(instance_descriptors().IsSortedNoDuplicates());
   DisallowHeapAllocation no_gc;

src/heap/factory.cc

@@ -4059,6 +4059,7 @@ Handle<Map> Factory::CreateSloppyFunctionMap(
     map->AppendDescriptor(isolate(), &d);
   }
   DCHECK_EQ(inobject_properties_count, field_index);
+  DCHECK_EQ(0, map->instance_descriptors().number_of_slack_descriptors());
   LOG(isolate(), MapDetails(*map));
   return map;
 }
@@ -4069,10 +4070,15 @@ Handle<Map> Factory::CreateStrictFunctionMap(
   int header_size = has_prototype ? JSFunction::kSizeWithPrototype
                                   : JSFunction::kSizeWithoutPrototype;
   int inobject_properties_count = 0;
-  if (IsFunctionModeWithName(function_mode)) ++inobject_properties_count;
+  // length and prototype accessors or just length accessor.
+  int descriptors_count = IsFunctionModeWithPrototype(function_mode) ? 2 : 1;
+  if (IsFunctionModeWithName(function_mode)) {
+    ++inobject_properties_count;  // name property.
+  } else {
+    ++descriptors_count;  // name accessor.
+  }
   if (IsFunctionModeWithHomeObject(function_mode)) ++inobject_properties_count;
-  int descriptors_count = (IsFunctionModeWithPrototype(function_mode) ? 3 : 2) +
-                          inobject_properties_count;
+  descriptors_count += inobject_properties_count;
 
   Handle<Map> map = NewMap(
       JS_FUNCTION_TYPE, header_size + inobject_properties_count * kTaggedSize,
@@ -4136,6 +4142,7 @@ Handle<Map> Factory::CreateStrictFunctionMap(
     map->AppendDescriptor(isolate(), &d);
   }
   DCHECK_EQ(inobject_properties_count, field_index);
+  DCHECK_EQ(0, map->instance_descriptors().number_of_slack_descriptors());
   LOG(isolate(), MapDetails(*map));
   return map;
 }

test/mjsunit/regress-crbug-1025468.js

@@ -0,0 +1,15 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f() {
+  class H {
+    ['h']() {}
+  }
+  let h = H.prototype.h;
+  h[1024] = {};
+  h["XXX"] = {};
+  h[-1] = {};
+}
+f();
+f();