Mark HStringCompareAndBranch as potentially causing GCs.

This also adds a %SetAllocationTimout runtime function which helps to write regression tests that need to trigger a GC at a certain point in program execution. R=hpayer@chromium.org BUG=chromium:274438 TEST=mjsunit/regress/regress-crbug-274438 Review URL: https://codereview.chromium.org/22933006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16205 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-08-16 15:10:07 +00:00 · 2013-08-16 15:10:07 +00:00 · 3e4fbd0e85
commit 3e4fbd0e85
parent aabfd6d610
6 changed files with 65 additions and 3 deletions
--- a/src/heap.cc
+++ b/src/heap.cc
@ -4013,10 +4013,10 @@ MaybeObject* Heap::AllocateByteArray(int length, PretenureFlag pretenure) {
    return AllocateByteArray(length);
  }
  int size = ByteArray::SizeFor(length);
+  AllocationSpace space =
+      (size > Page::kMaxNonCodeHeapObjectSize) ? LO_SPACE : OLD_DATA_SPACE;
  Object* result;
-  { MaybeObject* maybe_result = (size <= Page::kMaxNonCodeHeapObjectSize)
-                   ? old_data_space_->AllocateRaw(size)
-                   : lo_space_->AllocateRaw(size, NOT_EXECUTABLE);
+  { MaybeObject* maybe_result = AllocateRaw(size, space, space);
    if (!maybe_result->ToObject(&result)) return maybe_result;
  }

--- a/src/heap.h
+++ b/src/heap.h
@ -1490,6 +1490,10 @@ class Heap {
  inline bool IsInGCPostProcessing() { return gc_post_processing_depth_ > 0; }

 #ifdef DEBUG
+  void set_allocation_timeout(int timeout) {
+    allocation_timeout_ = timeout;
+  }
+
  bool disallow_allocation_failure() {
    return disallow_allocation_failure_;
  }
--- a/src/hydrogen-instructions.h
+++ b/src/hydrogen-instructions.h
@ -4081,6 +4081,7 @@ class HStringCompareAndBranch: public HTemplateControlInstruction<2, 3> {
    SetOperandAt(1, left);
    SetOperandAt(2, right);
    set_representation(Representation::Tagged());
+    SetGVNFlag(kChangesNewSpacePromotion);
  }

  HValue* context() { return OperandAt(0); }
--- a/src/runtime.cc
+++ b/src/runtime.cc
@ -8635,6 +8635,19 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_CompileForOnStackReplacement) {
 }


+RUNTIME_FUNCTION(MaybeObject*, Runtime_SetAllocationTimeout) {
+  SealHandleScope shs(isolate);
+  ASSERT(args.length() == 2);
+#ifdef DEBUG
+  CONVERT_SMI_ARG_CHECKED(interval, 0);
+  CONVERT_SMI_ARG_CHECKED(timeout, 1);
+  isolate->heap()->set_allocation_timeout(timeout);
+  FLAG_gc_interval = interval;
+#endif
+  return isolate->heap()->undefined_value();
+}
+
+
 RUNTIME_FUNCTION(MaybeObject*, Runtime_CheckIsBootstrapping) {
  SealHandleScope shs(isolate);
  RUNTIME_ASSERT(isolate->bootstrapper()->IsActive());
--- a/src/runtime.h
+++ b/src/runtime.h
@ -101,6 +101,7 @@ namespace internal {
  F(GetOptimizationStatus, -1, 1) \
  F(GetOptimizationCount, 1, 1) \
  F(CompileForOnStackReplacement, 1, 1) \
+  F(SetAllocationTimeout, 2, 1) \
  F(AllocateInNewSpace, 1, 1) \
  F(AllocateInOldPointerSpace, 1, 1) \
  F(AllocateInOldDataSpace, 1, 1) \
--- a/test/mjsunit/regress/regress-crbug-274438.js
+++ b/test/mjsunit/regress/regress-crbug-274438.js
@ -0,0 +1,43 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+function f(a, b) {
+  var x = { a:a };
+  switch(b) { case "string": }
+  var y = { b:b };
+  return y;
+}
+
+f("a", "b");
+f("a", "b");
+%OptimizeFunctionOnNextCall(f);
+f("a", "b");
+%SetAllocationTimeout(100, 0);
+var killer = f("bang", "bo" + "om");
+assertEquals("boom", killer.b);