The Elements pointer in a JSObject can have a filler map instead of a
valid fixed array, iff a gc occurred while allocating a fixed array as part of array construction. Heap verification needs protection against examining the elements object in this case. R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/43383004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17397 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
parent
7dd2d6c590
commit
a85c825bb9
@ -335,9 +335,7 @@ void JSObject::JSObjectVerify() {
|
||||
|
||||
// If a GC was caused while constructing this object, the elements
|
||||
// pointer may point to a one pointer filler map.
|
||||
if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
|
||||
(reinterpret_cast<Map*>(elements()) !=
|
||||
GetHeap()->one_pointer_filler_map())) {
|
||||
if (ElementsAreSafeToExamine()) {
|
||||
CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
|
||||
(elements() == GetHeap()->empty_fixed_array())),
|
||||
(elements()->map() == GetHeap()->fixed_array_map() ||
|
||||
@ -698,9 +696,7 @@ void JSArray::JSArrayVerify() {
|
||||
CHECK(length()->IsNumber() || length()->IsUndefined());
|
||||
// If a GC was caused while constructing this array, the elements
|
||||
// pointer may point to a one pointer filler map.
|
||||
if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
|
||||
(reinterpret_cast<Map*>(elements()) !=
|
||||
GetHeap()->one_pointer_filler_map())) {
|
||||
if (ElementsAreSafeToExamine()) {
|
||||
CHECK(elements()->IsUndefined() ||
|
||||
elements()->IsFixedArray() ||
|
||||
elements()->IsFixedDoubleArray());
|
||||
@ -1143,6 +1139,13 @@ void JSObject::SpillInformation::Print() {
|
||||
}
|
||||
|
||||
|
||||
bool JSObject::ElementsAreSafeToExamine() {
|
||||
return (FLAG_use_gvn && FLAG_use_allocation_folding) ||
|
||||
reinterpret_cast<Map*>(elements()) !=
|
||||
GetHeap()->one_pointer_filler_map();
|
||||
}
|
||||
|
||||
|
||||
bool DescriptorArray::IsSortedNoDuplicates(int valid_entries) {
|
||||
if (valid_entries == -1) valid_entries = number_of_descriptors();
|
||||
Name* current_key = NULL;
|
||||
|
@ -5516,19 +5516,24 @@ ElementsKind JSObject::GetElementsKind() {
|
||||
#if DEBUG
|
||||
FixedArrayBase* fixed_array =
|
||||
reinterpret_cast<FixedArrayBase*>(READ_FIELD(this, kElementsOffset));
|
||||
Map* map = fixed_array->map();
|
||||
ASSERT((IsFastSmiOrObjectElementsKind(kind) &&
|
||||
(map == GetHeap()->fixed_array_map() ||
|
||||
map == GetHeap()->fixed_cow_array_map())) ||
|
||||
(IsFastDoubleElementsKind(kind) &&
|
||||
(fixed_array->IsFixedDoubleArray() ||
|
||||
fixed_array == GetHeap()->empty_fixed_array())) ||
|
||||
(kind == DICTIONARY_ELEMENTS &&
|
||||
|
||||
// If a GC was caused while constructing this object, the elements
|
||||
// pointer may point to a one pointer filler map.
|
||||
if (ElementsAreSafeToExamine()) {
|
||||
Map* map = fixed_array->map();
|
||||
ASSERT((IsFastSmiOrObjectElementsKind(kind) &&
|
||||
(map == GetHeap()->fixed_array_map() ||
|
||||
map == GetHeap()->fixed_cow_array_map())) ||
|
||||
(IsFastDoubleElementsKind(kind) &&
|
||||
(fixed_array->IsFixedDoubleArray() ||
|
||||
fixed_array == GetHeap()->empty_fixed_array())) ||
|
||||
(kind == DICTIONARY_ELEMENTS &&
|
||||
fixed_array->IsFixedArray() &&
|
||||
fixed_array->IsDictionary()) ||
|
||||
(kind > DICTIONARY_ELEMENTS));
|
||||
ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
|
||||
(elements()->IsFixedArray() && elements()->length() >= 2));
|
||||
fixed_array->IsDictionary()) ||
|
||||
(kind > DICTIONARY_ELEMENTS));
|
||||
ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
|
||||
(elements()->IsFixedArray() && elements()->length() >= 2));
|
||||
}
|
||||
#endif
|
||||
return kind;
|
||||
}
|
||||
|
@ -2590,6 +2590,11 @@ class JSObject: public JSReceiver {
|
||||
};
|
||||
|
||||
void IncrementSpillStatistics(SpillInformation* info);
|
||||
|
||||
// If a GC was caused while constructing this object, the elements pointer
|
||||
// may point to a one pointer filler map. The object won't be rooted, but
|
||||
// our heap verification code could stumble across it.
|
||||
bool ElementsAreSafeToExamine();
|
||||
#endif
|
||||
Object* SlowReverseLookup(Object* value);
|
||||
|
||||
|
@ -33,9 +33,6 @@
|
||||
# TODO(mvstanton) Re-enable when the performance is bearable again.
|
||||
'regress/regress-2185-2': [SKIP],
|
||||
|
||||
# TODO(mvstanton) Re-enable when the bug is fixed.
|
||||
'regress/regress-2612': [PASS, ['mode == debug', SKIP]],
|
||||
|
||||
##############################################################################
|
||||
# Fails.
|
||||
'regress/regress-1119': [FAIL],
|
||||
|
Loading…
Reference in New Issue
Block a user