[heap-verify] Fix arguments verification with mapped elements

Bug: chromium:726836 Change-Id: I2eaec8550e7ba038646a1f7834d4514a8d4009ea Reviewed-on: https://chromium-review.googlesource.com/517954 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#45604}
2017-05-30 12:38:26 +02:00 · 2017-05-30 12:38:26 +02:00 · 32e4bcd974
commit 32e4bcd974
parent 36de9199f4
3 changed files with 33 additions and 6 deletions
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@ -518,16 +518,14 @@ void SloppyArgumentsElements::SloppyArgumentsElementsVerify(
    CHECK(arg_elements == isolate->heap()->empty_fixed_array());
    return;
  }
-  int nofMappedParameters =
-      length() - SloppyArgumentsElements::kParameterMapStart;
-  CHECK_LE(nofMappedParameters, context_object->length());
-  CHECK_LE(nofMappedParameters, arg_elements->length());
  ElementsAccessor* accessor;
  if (is_fast) {
    accessor = ElementsAccessor::ForKind(FAST_HOLEY_ELEMENTS);
  } else {
    accessor = ElementsAccessor::ForKind(DICTIONARY_ELEMENTS);
  }
+  int nofMappedParameters = 0;
+  int maxMappedIndex = 0;
  for (int i = 0; i < nofMappedParameters; i++) {
    // Verify that each context-mapped argument is either the hole or a valid
    // Smi within context length range.
@ -540,12 +538,20 @@ void SloppyArgumentsElements::SloppyArgumentsElementsVerify(
      CHECK(accessor->HasElement(holder, i, arg_elements));
      continue;
    }
-    Object* value = context_object->get(Smi::cast(mapped)->value());
+    int mappedIndex = Smi::cast(mapped)->value();
+    nofMappedParameters++;
+    CHECK_LE(maxMappedIndex, mappedIndex);
+    maxMappedIndex = mappedIndex;
+    Object* value = context_object->get(mappedIndex);
    CHECK(value->IsObject());
    // None of the context-mapped entries should exist in the arguments
    // elements.
    CHECK(!accessor->HasElement(holder, i, arg_elements));
  }
+  CHECK_LE(nofMappedParameters, context_object->length());
+  CHECK_LE(nofMappedParameters, arg_elements->length());
+  CHECK_LE(maxMappedIndex, context_object->length());
+  CHECK_LE(maxMappedIndex, arg_elements->length());
 }

 void JSGeneratorObject::JSGeneratorObjectVerify() {
--- a/src/objects-printer.cc
+++ b/src/objects-printer.cc
@ -393,14 +393,21 @@ void PrintFixedArrayElements(std::ostream& os, FixedArray* array) {

 void PrintSloppyArgumentElements(std::ostream& os, ElementsKind kind,
                                 SloppyArgumentsElements* elements) {
+  Isolate* isolate = elements->GetIsolate();
  FixedArray* arguments_store = elements->arguments();
  os << "\n    0: context= " << Brief(elements->context())
     << "\n    1: arguments_store= " << Brief(arguments_store)
     << "\n    parameter to context slot map:";
  for (uint32_t i = 0; i < elements->parameter_map_length(); i++) {
    uint32_t raw_index = i + SloppyArgumentsElements::kParameterMapStart;
+    Object* mapped_entry = elements->get_mapped_entry(i);
    os << "\n    " << raw_index << ": param(" << i
-       << ")= " << Brief(elements->get_mapped_entry(i));
+       << ")= " << Brief(mapped_entry);
+    if (mapped_entry->IsTheHole(isolate)) {
+      os << " in the arguements_store[" << i << "]";
+    } else {
+      os << " in the context";
+    }
  }
  if (arguments_store->length() == 0) return;
  os << "\n }"
--- a/test/mjsunit/arguments.js
+++ b/test/mjsunit/arguments.js
@ -352,3 +352,17 @@ assertEquals(117, arg_set(0xFFFFFFFF));
  args2.length = "aa"
  assertTrue(%HaveSameMap(args1, args2));
 })();
+
+
+(function testArgumentsVerification() {
+  (function f2(a,a) {
+    %HeapObjectVerify(arguments);
+  })(1,2);
+
+  function f7(a,a,a,a,a,a,a) {
+    %HeapObjectVerify(arguments);
+  };
+  f7(1,2,3,4,5,6);
+  f7(1,2,3,4,5,6,7);
+  f7(1,2,3,4,5,6,7,8);
+})();