AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Revert "[heap-verification] Increase verification for arguments objects"

Browse Source 
This reverts commit b9194e93f2.

Reason for revert: Makes old pipeline flaky with custom snapshot:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20custom%20snapshot%20-%20debug/builds/14049

Original change's description:
> [heap-verification] Increase verification for arguments objects
> 
> BUG: v8:6251
> Change-Id: I8a6dd528656a69c7910770acaf2133830b60c291
> Reviewed-on: https://chromium-review.googlesource.com/475651
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44609}

TBR=jkummerow@chromium.org,cbruni@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Iedfdad290bf4f5f6ec2534e8c5378a7cc195db82
Reviewed-on: https://chromium-review.googlesource.com/475719
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44616}
This commit is contained in:
Michael Achenbach 2017-04-12 14:06:10 +00:00 committed by Commit Bot
parent 7079bdb830
commit e63d74b117
4 changed files with 7 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
src/objects-debug.cc
View File

@ -8,7 +8,6 @@
#include "src/bootstrapper.h"
#include "src/disasm.h"
#include "src/disassembler.h"
#include "src/elements.h"
#include "src/field-type.h"
#include "src/layout-descriptor.h"
#include "src/macro-assembler.h"
@ -106,14 +105,12 @@ void HeapObject::HeapObjectVerify() {
break;
case JS_OBJECT_TYPE:
case JS_ERROR_TYPE:
case JS_ARGUMENTS_TYPE:
case JS_API_OBJECT_TYPE:
case JS_SPECIAL_API_OBJECT_TYPE:
case JS_CONTEXT_EXTENSION_OBJECT_TYPE:
JSObject::cast(this)->JSObjectVerify();
break;
case JS_ARGUMENTS_TYPE:
JSArgumentsObject::cast(this)->JSArgumentsObjectVerify();
break;
case JS_GENERATOR_OBJECT_TYPE:
JSGeneratorObject::cast(this)->JSGeneratorObjectVerify();
break;
@ -165,7 +162,6 @@ void HeapObject::HeapObjectVerify() {
case JS_MAP_ITERATOR_TYPE:
JSMapIterator::cast(this)->JSMapIteratorVerify();
break;
case JS_TYPED_ARRAY_KEY_ITERATOR_TYPE:
case JS_FAST_ARRAY_KEY_ITERATOR_TYPE:
case JS_GENERIC_ARRAY_KEY_ITERATOR_TYPE:
@ -330,7 +326,11 @@ void JSObject::JSObjectVerify() {
VerifyHeapPointer(properties());
VerifyHeapPointer(elements());
CHECK_IMPLIES(HasSloppyArgumentsElements(), IsJSArgumentsObject());
if (HasSloppyArgumentsElements()) {
CHECK(this->elements()->IsFixedArray());
CHECK_GE(this->elements()->length(), 2);
}
if (HasFastProperties()) {
int actual_unused_property_fields = map()->GetInObjectProperties() +
properties()->length() -
@ -474,60 +474,6 @@ void TransitionArray::TransitionArrayVerify() {
next_link()->IsTransitionArray());
}
void JSArgumentsObject::JSArgumentsObjectVerify() {
VerifyObjectField(kLengthOffset);
if (IsSloppyArgumentsElementsKind(GetElementsKind())) {
JSSloppyArgumentsObject::cast(this)->JSSloppyArgumentsObjectVerify();
}
JSObjectVerify();
}
void JSSloppyArgumentsObject::JSSloppyArgumentsObjectVerify() {
VerifyObjectField(kCalleeOffset);
ElementsKind kind = GetElementsKind();
CHECK(IsSloppyArgumentsElementsKind(kind));
SloppyArgumentsElements::cast(elements())
->SloppyArgumentsElementsVerify(this);
}
void SloppyArgumentsElements::SloppyArgumentsElementsVerify(
JSSloppyArgumentsObject* holder) {
Isolate* isolate = GetIsolate();
FixedArrayVerify();
// Abort verification if only partially initialized
if (arguments()->IsUndefined(isolate)) return;
ElementsKind kind = holder->GetElementsKind();
CHECK(IsFixedArray());
CHECK_GE(length(), 2);
CHECK_EQ(map(), isolate->heap()->sloppy_arguments_elements_map());
Context* contextObject = Context::cast(context());
FixedArray* argElements = FixedArray::cast(arguments());
if (argElements->length() == 0) {
CHECK(argElements == isolate->heap()->empty_fixed_array());
return;
}
int nofMappedParameters =
length() - SloppyArgumentsElements::kParameterMapStart;
CHECK_LE(nofMappedParameters, contextObject->length());
CHECK_LE(nofMappedParameters, argElements->length());
ElementsAccessor* accessor;
if (kind == FAST_SLOPPY_ARGUMENTS_ELEMENTS) {
accessor = ElementsAccessor::ForKind(FAST_HOLEY_ELEMENTS);
} else {
accessor = ElementsAccessor::ForKind(DICTIONARY_ELEMENTS);
}
for (int i = 0; i < nofMappedParameters; i++) {
// Verify that each mapped arguments is either the hole or a valid Smi
// within context length range.
Object* mapped = get_mapped_entry(i);
if (mapped->IsTheHole(isolate)) continue;
Object* value = contextObject->get(Smi::cast(mapped)->value());
CHECK(value->IsObject());
// None of the context-mapped entries should exist in the arguments elements
CHECK(!accessor->HasElement(holder, i, argElements));
}
}
void JSGeneratorObject::JSGeneratorObjectVerify() {
// In an expression like "new g()", there can be a point where a generator

9
src/objects-inl.h
View File

@ -202,10 +202,6 @@ bool HeapObject::IsFixedArray() const {
bool HeapObject::IsSloppyArgumentsElements() const { return IsFixedArray(); }
bool HeapObject::IsJSSloppyArgumentsObject() const {
return IsJSArgumentsObject();
}
bool HeapObject::IsJSGeneratorObject() const {
return map()->instance_type() == JS_GENERATOR_OBJECT_TYPE ||
IsJSAsyncGeneratorObject();
@ -636,7 +632,6 @@ CAST_ACCESSOR(Foreign)
CAST_ACCESSOR(GlobalDictionary)
CAST_ACCESSOR(HandlerTable)
CAST_ACCESSOR(HeapObject)
CAST_ACCESSOR(JSArgumentsObject);
CAST_ACCESSOR(JSArray)
CAST_ACCESSOR(JSArrayBuffer)
CAST_ACCESSOR(JSArrayBufferView)
@ -660,7 +655,6 @@ CAST_ACCESSOR(JSPromiseCapability)
CAST_ACCESSOR(JSPromise)
CAST_ACCESSOR(JSSet)
CAST_ACCESSOR(JSSetIterator)
CAST_ACCESSOR(JSSloppyArgumentsObject)
CAST_ACCESSOR(JSAsyncFromSyncIterator)
CAST_ACCESSOR(JSStringIterator)
CAST_ACCESSOR(JSArrayIterator)
@ -5456,9 +5450,6 @@ void Map::SetBackPointer(Object* value, WriteBarrierMode mode) {
set_constructor_or_backpointer(value, mode);
}
ACCESSORS(JSArgumentsObject, length, Object, kLengthOffset);
ACCESSORS(JSSloppyArgumentsObject, callee, Object, kCalleeOffset);
ACCESSORS(Map, code_cache, FixedArray, kCodeCacheOffset)
ACCESSORS(Map, dependent_code, DependentCode, kDependentCodeOffset)
ACCESSORS(Map, weak_cell_cache, Object, kWeakCellCacheOffset)

17
src/objects.h
View File

@ -1011,7 +1011,6 @@ template <class C> inline bool Is(Object* obj);
V(JSReceiver) \
V(JSObject) \
V(JSArgumentsObject) \
V(JSSloppyArgumentsObject) \
V(JSContextExtensionObject) \
V(JSGeneratorObject) \
V(JSAsyncGeneratorObject) \
@ -2683,11 +2682,6 @@ class JSArgumentsObject: public JSObject {
// Indices of in-object properties.
static const int kLengthIndex = 0;
DECL_ACCESSORS(length, Object)
DECLARE_VERIFIER(JSArgumentsObject)
DECLARE_CAST(JSArgumentsObject)
private:
DISALLOW_IMPLICIT_CONSTRUCTORS(JSArgumentsObject);
};
@ -2703,11 +2697,6 @@ class JSSloppyArgumentsObject: public JSArgumentsObject {
// Indices of in-object properties.
static const int kCalleeIndex = 1;
DECL_ACCESSORS(callee, Object)
DECLARE_VERIFIER(JSSloppyArgumentsObject)
DECLARE_CAST(JSSloppyArgumentsObject)
private:
DISALLOW_IMPLICIT_CONSTRUCTORS(JSSloppyArgumentsObject);
};
@ -2720,8 +2709,6 @@ class JSStrictArgumentsObject: public JSArgumentsObject {
// Offsets of object fields.
static const int kSize = JSArgumentsObject::kHeaderSize;
DECLARE_CAST(JSStrictArgumentsObject)
private:
DISALLOW_IMPLICIT_CONSTRUCTORS(JSStrictArgumentsObject);
};
@ -2893,7 +2880,6 @@ class FixedDoubleArray: public FixedArrayBase {
// Helper class to access FAST_ and SLOW_SLOPPY_ARGUMENTS_ELEMENTS
//
// SloppyArgumentsElements
// +---+-----------------------+
// | 0 | Context* context |
// +---------------------------+
@ -2928,9 +2914,6 @@ class SloppyArgumentsElements : public FixedArray {
inline void set_mapped_entry(uint32_t entry, Object* object);
DECLARE_CAST(SloppyArgumentsElements)
#ifdef VERIFY_HEAP
void SloppyArgumentsElementsVerify(JSSloppyArgumentsObject* holder);
#endif
private:
DISALLOW_IMPLICIT_CONSTRUCTORS(SloppyArgumentsElements);

47
test/mjsunit/element-read-only.js
View File

@ -2,23 +2,17 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(a, b, c, d) { return arguments; }
// Ensure non-configurable argument elements stay non-configurable.
(function () {
var args = f(1);
Object.defineProperty(args, "0", {value: 10, configurable: false});
%HeapObjectVerify(args);
assertFalse(Object.getOwnPropertyDescriptor(args, "0").configurable);
%HeapObjectVerify(args);
for (var i = 0; i < 10; i++) {
args[i] = 1;
}
%HeapObjectVerify(args);
assertFalse(Object.getOwnPropertyDescriptor(args, "0").configurable);
%HeapObjectVerify(args);
})();
// Ensure read-only properties on the prototype chain cause TypeError.
@ -33,11 +27,7 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < index; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.defineProperty(proto, index, {value: 100, writable: false});
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, index, 0); });
assertEquals(100, o[index]);
})();
@ -52,11 +42,7 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < index; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.defineProperty(proto, index, {value: 100, writable: false});
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, index, 0); });
assertEquals(100, o[index]);
})();
@ -71,11 +57,7 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < index; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.defineProperty(proto, index, {value: 100, writable: false});
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, index, 0); });
assertEquals(100, o[index]);
})();
@ -90,11 +72,7 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < index; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.defineProperty(proto, index, {value: 100, writable: false});
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, index, 0); });
assertEquals(100, o[index]);
})();
@ -109,17 +87,12 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < index; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.preventExtensions(proto);
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.defineProperty(proto, index, {value: 100, writable: false});
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, index, 0); });
assertEquals(100, o[index]);
})();
// Extensions prevented arguments object.
(function () {
var o = [];
@ -130,14 +103,8 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < index; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.preventExtensions(proto);
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.defineProperty(proto, index, {value: 100, writable: false});
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, index, 0); });
assertEquals(100, o[index]);
})();
@ -153,11 +120,7 @@ function f(a, b, c, d) { return arguments; }
store(o, i, 0);
}
proto[1 << 30] = 1;
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.defineProperty(proto, index, {value: 100, writable: false});
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, index, 0); });
assertEquals(100, o[index]);
})();
@ -171,11 +134,7 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < 3; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.freeze(proto);
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, 3, 0); });
assertEquals(3, o[3]);
})();
@ -189,11 +148,7 @@ function f(a, b, c, d) { return arguments; }
for (var i = 0; i < 3; i++) {
store(o, i, 0);
}
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
Object.freeze(proto);
%HeapObjectVerify(proto);
%HeapObjectVerify(o);
assertThrows(function() { store(o, 3, 0); });
assertEquals(3, o[3]);
})();