Add zapping of Map contents in debug mode.

This zaps the contents of stale descriptor arrays and prototype transition arrays before overwriting references to them. It should help to discover accidental sharing early and is needed for the heap verifier when map collection with incremental marking lands. R=ulan@chromium.org BUG=v8:1465 Review URL: https://chromiumcodereview.appspot.com/10383186 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@11569 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2012-05-15 15:45:38 +00:00 · 2012-05-15 15:45:38 +00:00 · 4a7c70de23
commit 4a7c70de23
parent 5d34345c96
3 changed files with 43 additions and 0 deletions
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@ -992,6 +992,28 @@ void NormalizedMapCache::NormalizedMapCacheVerify() {
 }


+void Map::ZapInstanceDescriptors() {
+  DescriptorArray* descriptors = instance_descriptors();
+  if (descriptors == GetHeap()->empty_descriptor_array()) return;
+  FixedArray* contents = FixedArray::cast(
+      descriptors->get(DescriptorArray::kContentArrayIndex));
+  MemsetPointer(descriptors->data_start(),
+                GetHeap()->the_hole_value(),
+                descriptors->length());
+  MemsetPointer(contents->data_start(),
+                GetHeap()->the_hole_value(),
+                contents->length());
+}
+
+
+void Map::ZapPrototypeTransitions() {
+  FixedArray* proto_transitions = prototype_transitions();
+  MemsetPointer(proto_transitions->data_start(),
+                GetHeap()->the_hole_value(),
+                proto_transitions->length());
+}
+
+
 #endif  // DEBUG

 } }  // namespace v8::internal
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@ -3351,6 +3351,9 @@ void Map::clear_instance_descriptors() {
  Object* object = READ_FIELD(this,
                              kInstanceDescriptorsOrBitField3Offset);
  if (!object->IsSmi()) {
+#ifdef DEBUG
+    ZapInstanceDescriptors();
+#endif
    WRITE_FIELD(
        this,
        kInstanceDescriptorsOrBitField3Offset,
@ -3376,6 +3379,11 @@ void Map::set_instance_descriptors(DescriptorArray* value,
    }
  }
  ASSERT(!is_shared());
+#ifdef DEBUG
+  if (value != instance_descriptors()) {
+    ZapInstanceDescriptors();
+  }
+#endif
  WRITE_FIELD(this, kInstanceDescriptorsOrBitField3Offset, value);
  CONDITIONAL_WRITE_BARRIER(
      heap, this, kInstanceDescriptorsOrBitField3Offset, value, mode);
@ -3448,6 +3456,11 @@ void Map::set_prototype_transitions(FixedArray* value, WriteBarrierMode mode) {
  Heap* heap = GetHeap();
  ASSERT(value != heap->empty_fixed_array());
  value->set(kProtoTransitionBackPointerOffset, GetBackPointer());
+#ifdef DEBUG
+  if (value != prototype_transitions()) {
+    ZapPrototypeTransitions();
+  }
+#endif
  WRITE_FIELD(this, kPrototypeTransitionsOrBackPointerOffset, value);
  CONDITIONAL_WRITE_BARRIER(
      heap, this, kPrototypeTransitionsOrBackPointerOffset, value, mode);
--- a/src/objects.h
+++ b/src/objects.h
@ -4855,6 +4855,14 @@ class Map: public HeapObject {
  Handle<Map> FindTransitionedMap(MapHandleList* candidates);
  Map* FindTransitionedMap(MapList* candidates);

+  // Zaps the contents of backing data structures in debug mode. Note that the
+  // heap verifier (i.e. VerifyMarkingVisitor) relies on zapping of objects
+  // holding weak references when incremental marking is used, because it also
+  // iterates over objects that are otherwise unreachable.
+#ifdef DEBUG
+  void ZapInstanceDescriptors();
+  void ZapPrototypeTransitions();
+#endif

  // Dispatched behavior.
 #ifdef OBJECT_PRINT