[runtime] Allow FeedbackMetadata objects in old space for verification

When we changed FeedbackMetadata to be it's own type instead of a subtype of FixedArray, we missed this check for valid objects in old space. This restores the old behavior during verification. Bug: chromium:862433 Change-Id: Icdb144df4aebc0c6d78a28405c7f53e40b2e1376 Reviewed-on: https://chromium-review.googlesource.com/1134995 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#54408}
2018-07-12 14:10:53 +02:00 · 2018-07-12 14:10:53 +02:00 · a0dbaf590a
commit a0dbaf590a
parent d622ff90b6
2 changed files with 10 additions and 1 deletions
--- a/src/heap/spaces.cc
+++ b/src/heap/spaces.cc
@ -3591,7 +3591,7 @@ void LargeObjectSpace::Verify(Isolate* isolate) {
          object->IsWeakFixedArray() || object->IsWeakArrayList() ||
          object->IsPropertyArray() || object->IsByteArray() ||
          object->IsFeedbackVector() || object->IsBigInt() ||
-          object->IsFreeSpace());
+          object->IsFreeSpace() || object->IsFeedbackMetadata());

    // The object itself should look OK.
    object->ObjectVerify(isolate);
--- a/test/mjsunit/regress/regress-862433.js
+++ b/test/mjsunit/regress/regress-862433.js
@ -0,0 +1,9 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var arr = [];
+for (var i = 1; i != 390000; ++i) {
+  arr.push("f()");
+}
+new Function(arr.join());