objects-debug.cc 62.6 KB
Newer Older
1
// Copyright 2012 the V8 project authors. All rights reserved.
2 3
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
4

5
#include "src/objects/objects.h"
6

7
#include "src/codegen/assembler-inl.h"
Yang Guo's avatar
Yang Guo committed
8
#include "src/date/date.h"
9 10
#include "src/diagnostics/disasm.h"
#include "src/diagnostics/disassembler.h"
11
#include "src/heap/combined-heap.h"
12
#include "src/heap/heap-write-barrier-inl.h"
13
#include "src/heap/read-only-heap.h"
14
#include "src/ic/handler-configuration-inl.h"
15
#include "src/init/bootstrapper.h"
16
#include "src/logging/counters.h"
17
#include "src/objects/allocation-site-inl.h"
18
#include "src/objects/arguments-inl.h"
19
#include "src/objects/bigint.h"
20
#include "src/objects/cell-inl.h"
21
#include "src/objects/data-handler-inl.h"
22
#include "src/objects/debug-objects-inl.h"
23
#include "src/objects/elements.h"
24
#include "src/objects/embedder-data-array-inl.h"
25
#include "src/objects/embedder-data-slot-inl.h"
26
#include "src/objects/feedback-cell-inl.h"
27
#include "src/objects/field-type.h"
28
#include "src/objects/foreign-inl.h"
29
#include "src/objects/free-space-inl.h"
30
#include "src/objects/function-kind.h"
31
#include "src/objects/hash-table-inl.h"
32
#include "src/objects/js-array-inl.h"
33
#include "src/objects/layout-descriptor.h"
34
#include "src/objects/objects-inl.h"
35
#include "src/roots/roots.h"
36
#ifdef V8_INTL_SUPPORT
37
#include "src/objects/js-break-iterator-inl.h"
38 39
#include "src/objects/js-collator-inl.h"
#endif  // V8_INTL_SUPPORT
40
#include "src/objects/js-collection-inl.h"
41 42
#ifdef V8_INTL_SUPPORT
#include "src/objects/js-date-time-format-inl.h"
43
#include "src/objects/js-display-names-inl.h"
44
#endif  // V8_INTL_SUPPORT
45
#include "src/objects/js-generator-inl.h"
46
#ifdef V8_INTL_SUPPORT
47
#include "src/objects/js-list-format-inl.h"
48
#include "src/objects/js-locale-inl.h"
49 50
#include "src/objects/js-number-format-inl.h"
#include "src/objects/js-plural-rules-inl.h"
51
#endif  // V8_INTL_SUPPORT
52 53
#include "src/objects/js-regexp-inl.h"
#include "src/objects/js-regexp-string-iterator-inl.h"
54 55
#ifdef V8_INTL_SUPPORT
#include "src/objects/js-relative-time-format-inl.h"
56
#include "src/objects/js-segment-iterator-inl.h"
57
#include "src/objects/js-segmenter-inl.h"
58
#endif  // V8_INTL_SUPPORT
59
#include "src/objects/js-weak-refs-inl.h"
60
#include "src/objects/literal-objects-inl.h"
61
#include "src/objects/maybe-object.h"
62
#include "src/objects/microtask-inl.h"
63
#include "src/objects/module-inl.h"
64
#include "src/objects/oddball-inl.h"
65
#include "src/objects/promise-inl.h"
66
#include "src/objects/property-descriptor-object-inl.h"
67
#include "src/objects/stack-frame-info-inl.h"
68
#include "src/objects/struct-inl.h"
69
#include "src/objects/template-objects-inl.h"
70
#include "src/objects/transitions-inl.h"
71
#include "src/regexp/regexp.h"
72
#include "src/utils/ostreams.h"
73
#include "src/wasm/wasm-objects-inl.h"
74
#include "torque-generated/class-verifiers-tq.h"
75
#include "torque-generated/exported-class-definitions-tq-inl.h"
76
#include "torque-generated/internal-class-definitions-tq-inl.h"
77

78 79
namespace v8 {
namespace internal {
80

81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
// Heap Verification Overview
// --------------------------
// - Each InstanceType has a separate XXXVerify method which checks an object's
//   integrity in isolation.
// - --verify-heap will iterate over all gc spaces and call ObjectVerify() on
//   every encountered tagged pointer.
// - Verification should be pushed down to the specific instance type if its
//   integrity is independent of an outer object.
// - In cases where the InstanceType is too genernic (e.g. FixedArray) the
//   XXXVerify of the outer method has to do recursive verification.
// - If the corresponding objects have inheritence the parent's Verify method
//   is called as well.
// - For any field containing pointes VerifyPointer(...) should be called.
//
// Caveats
// -------
// - Assume that any of the verify methods is incomplete!
// - Some integrity checks are only partially done due to objects being in
//   partially initialized states when a gc happens, for instance when outer
//   objects are allocted before inner ones.
//

103
#ifdef VERIFY_HEAP
104

105 106 107
#define USE_TORQUE_VERIFIER(Class)                                \
  void Class::Class##Verify(Isolate* isolate) {                   \
    TorqueGeneratedClassVerifiers::Class##Verify(*this, isolate); \
108 109
  }

110
void Object::ObjectVerify(Isolate* isolate) {
111
  RuntimeCallTimerScope timer(isolate, RuntimeCallCounterId::kObjectVerify);
112
  if (IsSmi()) {
113
    Smi::cast(*this).SmiVerify(isolate);
114
  } else {
115
    HeapObject::cast(*this).HeapObjectVerify(isolate);
116
  }
117
  CHECK(!IsConstructor() || IsCallable());
118 119
}

120
void Object::VerifyPointer(Isolate* isolate, Object p) {
121
  if (p.IsHeapObject()) {
122
    HeapObject::VerifyHeapPointer(isolate, p);
123
  } else {
124
    CHECK(p.IsSmi());
125 126 127
  }
}

128
void MaybeObject::VerifyMaybeObjectPointer(Isolate* isolate, MaybeObject p) {
129
  HeapObject heap_object;
130
  if (p->GetHeapObject(&heap_object)) {
131
    HeapObject::VerifyHeapPointer(isolate, heap_object);
132
  } else {
133
    CHECK(p->IsSmi() || p->IsCleared());
134 135 136
  }
}

137
void Smi::SmiVerify(Isolate* isolate) {
138
  CHECK(IsSmi());
139
  CHECK(!IsCallable());
140
  CHECK(!IsConstructor());
141 142
}

143 144 145 146
void TaggedIndex::TaggedIndexVerify(Isolate* isolate) {
  CHECK(IsTaggedIndex());
}

147
void HeapObject::HeapObjectVerify(Isolate* isolate) {
148
  TorqueGeneratedClassVerifiers::HeapObjectVerify(*this, isolate);
149

150
  switch (map().instance_type()) {
151
#define STRING_TYPE_CASE(TYPE, size, name, CamelName) case TYPE:
152 153
    STRING_TYPE_LIST(STRING_TYPE_CASE)
#undef STRING_TYPE_CASE
154
    if (IsConsString()) {
155
      ConsString::cast(*this).ConsStringVerify(isolate);
156
    } else if (IsSlicedString()) {
157
      SlicedString::cast(*this).SlicedStringVerify(isolate);
158
    } else if (IsThinString()) {
159
      ThinString::cast(*this).ThinStringVerify(isolate);
160 161 162 163
    } else if (IsSeqString()) {
      SeqString::cast(*this).SeqStringVerify(isolate);
    } else if (IsExternalString()) {
      ExternalString::cast(*this).ExternalStringVerify(isolate);
164
    } else {
165
      String::cast(*this).StringVerify(isolate);
166
    }
167
    break;
168
    case OBJECT_BOILERPLATE_DESCRIPTION_TYPE:
169
      ObjectBoilerplateDescription::cast(*this)
170
          .ObjectBoilerplateDescriptionVerify(isolate);
171 172
      break;
    // FixedArray types
173
    case CLOSURE_FEEDBACK_CELL_ARRAY_TYPE:
174
    case HASH_TABLE_TYPE:
175 176
    case ORDERED_HASH_MAP_TYPE:
    case ORDERED_HASH_SET_TYPE:
177
    case ORDERED_NAME_DICTIONARY_TYPE:
178 179 180 181 182
    case NAME_DICTIONARY_TYPE:
    case GLOBAL_DICTIONARY_TYPE:
    case NUMBER_DICTIONARY_TYPE:
    case SIMPLE_NUMBER_DICTIONARY_TYPE:
    case STRING_TABLE_TYPE:
183
    case EPHEMERON_HASH_TABLE_TYPE:
184
    case FIXED_ARRAY_TYPE:
185
    case SCOPE_INFO_TYPE:
186
    case SCRIPT_CONTEXT_TABLE_TYPE:
187
      FixedArray::cast(*this).FixedArrayVerify(isolate);
188
      break;
189
    case AWAIT_CONTEXT_TYPE:
190 191 192 193 194 195 196 197
    case BLOCK_CONTEXT_TYPE:
    case CATCH_CONTEXT_TYPE:
    case DEBUG_EVALUATE_CONTEXT_TYPE:
    case EVAL_CONTEXT_TYPE:
    case FUNCTION_CONTEXT_TYPE:
    case MODULE_CONTEXT_TYPE:
    case SCRIPT_CONTEXT_TYPE:
    case WITH_CONTEXT_TYPE:
198
      Context::cast(*this).ContextVerify(isolate);
199 200
      break;
    case NATIVE_CONTEXT_TYPE:
201
      NativeContext::cast(*this).NativeContextVerify(isolate);
202
      break;
203
    case WEAK_FIXED_ARRAY_TYPE:
204
      WeakFixedArray::cast(*this).WeakFixedArrayVerify(isolate);
205
      break;
206
    case FEEDBACK_METADATA_TYPE:
207
      FeedbackMetadata::cast(*this).FeedbackMetadataVerify(isolate);
208
      break;
209
    case TRANSITION_ARRAY_TYPE:
210
      TransitionArray::cast(*this).TransitionArrayVerify(isolate);
211
      break;
212

213
    case CODE_TYPE:
214
      Code::cast(*this).CodeVerify(isolate);
215 216
      break;
    case JS_OBJECT_TYPE:
217
    case JS_ERROR_TYPE:
218
    case JS_API_OBJECT_TYPE:
219
    case JS_SPECIAL_API_OBJECT_TYPE:
ager@chromium.org's avatar
ager@chromium.org committed
220
    case JS_CONTEXT_EXTENSION_OBJECT_TYPE:
221
      JSObject::cast(*this).JSObjectVerify(isolate);
222
      break;
223
    case WASM_INSTANCE_OBJECT_TYPE:
224
      WasmInstanceObject::cast(*this).WasmInstanceObjectVerify(isolate);
225
      break;
226
    case JS_GENERATOR_OBJECT_TYPE:
227
      JSGeneratorObject::cast(*this).JSGeneratorObjectVerify(isolate);
228
      break;
229 230
    case JS_SET_KEY_VALUE_ITERATOR_TYPE:
    case JS_SET_VALUE_ITERATOR_TYPE:
231
      JSSetIterator::cast(*this).JSSetIteratorVerify(isolate);
232
      break;
233 234 235
    case JS_MAP_KEY_ITERATOR_TYPE:
    case JS_MAP_KEY_VALUE_ITERATOR_TYPE:
    case JS_MAP_VALUE_ITERATOR_TYPE:
236
      JSMapIterator::cast(*this).JSMapIteratorVerify(isolate);
237
      break;
238 239
    case FILLER_TYPE:
      break;
240
    case CODE_DATA_CONTAINER_TYPE:
241
      CodeDataContainer::cast(*this).CodeDataContainerVerify(isolate);
242
      break;
243

244
#define MAKE_TORQUE_CASE(Name, TYPE)         \
245 246
  case TYPE:                                 \
    Name::cast(*this).Name##Verify(isolate); \
247
    break;
248 249 250
      // Every class that has its fields defined in a .tq file and corresponds
      // to exactly one InstanceType value is included in the following list.
      TORQUE_INSTANCE_CHECKERS_SINGLE_FULLY_DEFINED(MAKE_TORQUE_CASE)
251
      TORQUE_INSTANCE_CHECKERS_MULTIPLE_FULLY_DEFINED(MAKE_TORQUE_CASE)
252
#undef MAKE_TORQUE_CASE
253

254
    case ALLOCATION_SITE_TYPE:
255
      AllocationSite::cast(*this).AllocationSiteVerify(isolate);
256 257
      break;

258
    case LOAD_HANDLER_TYPE:
259
      LoadHandler::cast(*this).LoadHandlerVerify(isolate);
260 261 262
      break;

    case STORE_HANDLER_TYPE:
263
      StoreHandler::cast(*this).StoreHandlerVerify(isolate);
264
      break;
265 266 267
  }
}

268
// static
269
void HeapObject::VerifyHeapPointer(Isolate* isolate, Object p) {
270
  CHECK(p.IsHeapObject());
271
  CHECK(IsValidHeapObject(isolate->heap(), HeapObject::cast(p)));
272 273
}

274
void Symbol::SymbolVerify(Isolate* isolate) {
275
  TorqueGeneratedClassVerifiers::SymbolVerify(*this, isolate);
276
  CHECK(HasHashCode());
277
  CHECK_GT(Hash(), 0);
278
  CHECK(description().IsUndefined(isolate) || description().IsString());
279
  CHECK_IMPLIES(IsPrivateName(), IsPrivate());
280
  CHECK_IMPLIES(IsPrivateBrand(), IsPrivateName());
281 282
}

283
void BytecodeArray::BytecodeArrayVerify(Isolate* isolate) {
284
  // TODO(oth): Walk bytecodes and immediate values to validate sanity.
285 286 287 288
  // - All bytecodes are known and well formed.
  // - Jumps must go to new instructions starts.
  // - No Illegal bytecodes.
  // - No consecutive sequences of prefix Wide / ExtraWide.
289
  CHECK(IsBytecodeArray());
290
  CHECK(constant_pool().IsFixedArray());
291
  VerifyHeapPointer(isolate, constant_pool());
292
  CHECK(source_position_table().IsUndefined() ||
293
        source_position_table().IsException() ||
294
        source_position_table().IsByteArray());
295
  CHECK(handler_table().IsByteArray());
296 297
}

298
USE_TORQUE_VERIFIER(FeedbackVector)
299

300 301
USE_TORQUE_VERIFIER(JSReceiver)

302
bool JSObject::ElementsAreSafeToExamine(const Isolate* isolate) const {
303 304
  // If a GC was caused while constructing this object, the elements
  // pointer may point to a one pointer filler map.
305 306
  return elements(isolate) !=
         GetReadOnlyRoots(isolate).one_pointer_filler_map();
307 308
}

309
namespace {
310

311
void VerifyJSObjectElements(Isolate* isolate, JSObject object) {
312
  // Only TypedArrays can have these specialized elements.
313
  if (object.IsJSTypedArray()) {
314 315 316
    // TODO(bmeurer,v8:4153): Fix CreateTypedArray to either not instantiate
    // the object or propertly initialize it on errors during construction.
    /* CHECK(object->HasTypedArrayElements()); */
317 318
    return;
  }
319
  CHECK(!object.elements().IsByteArray());
320

321 322 323
  if (object.HasDoubleElements()) {
    if (object.elements().length() > 0) {
      CHECK(object.elements().IsFixedDoubleArray());
324 325 326 327
    }
    return;
  }

328 329 330 331 332
  if (object.HasSloppyArgumentsElements()) {
    CHECK(object.elements().IsSloppyArgumentsElements());
    return;
  }

333 334
  FixedArray elements = FixedArray::cast(object.elements());
  if (object.HasSmiElements()) {
335 336
    // We might have a partially initialized backing store, in which case we
    // allow the hole + smi values.
337 338 339
    for (int i = 0; i < elements.length(); i++) {
      Object value = elements.get(i);
      CHECK(value.IsSmi() || value.IsTheHole(isolate));
340
    }
341 342 343
  } else if (object.HasObjectElements()) {
    for (int i = 0; i < elements.length(); i++) {
      Object element = elements.get(i);
344
      CHECK(!HasWeakHeapObjectTag(element));
345 346 347 348
    }
  }
}
}  // namespace
349

350
void JSObject::JSObjectVerify(Isolate* isolate) {
351
  TorqueGeneratedClassVerifiers::JSObjectVerify(*this, isolate);
352
  VerifyHeapPointer(isolate, elements());
353

354
  CHECK_IMPLIES(HasSloppyArgumentsElements(), IsJSArgumentsObject());
355
  if (HasFastProperties()) {
356 357 358 359
    int actual_unused_property_fields = map().GetInObjectProperties() +
                                        property_array().length() -
                                        map().NextFreePropertyIndex();
    if (map().UnusedPropertyFields() != actual_unused_property_fields) {
360 361 362
      // There are two reasons why this can happen:
      // - in the middle of StoreTransitionStub when the new extended backing
      //   store is already set into the object and the allocation of the
363
      //   HeapNumber triggers GC while the map isn't updated yet.
364 365
      // - deletion of the last property can leave additional backing store
      //   capacity behind.
366 367
      CHECK_GT(actual_unused_property_fields, map().UnusedPropertyFields());
      int delta = actual_unused_property_fields - map().UnusedPropertyFields();
368
      CHECK_EQ(0, delta % JSObject::kFieldsAdded);
369
    }
370
    DescriptorArray descriptors = map().instance_descriptors();
371
    bool is_transitionable_fast_elements_kind =
372
        IsTransitionableFastElementsKind(map().elements_kind());
373

374
    for (InternalIndex i : map().IterateOwnDescriptors()) {
375
      PropertyDetails details = descriptors.GetDetails(i);
376 377
      if (details.location() == kField) {
        DCHECK_EQ(kData, details.kind());
378
        Representation r = details.representation();
379 380 381 382 383
        FieldIndex index = FieldIndex::ForDescriptor(map(), i);
        if (IsUnboxedDoubleField(index)) {
          DCHECK(r.IsDouble());
          continue;
        }
384 385 386
        if (COMPRESS_POINTERS_BOOL && index.is_inobject()) {
          VerifyObjectField(isolate, index.offset());
        }
387
        Object value = RawFastPropertyAt(index);
388
        if (r.IsDouble()) DCHECK(value.IsHeapNumber());
389 390 391 392 393 394
        if (value.IsUninitialized(isolate)) continue;
        if (r.IsSmi()) DCHECK(value.IsSmi());
        if (r.IsHeapObject()) DCHECK(value.IsHeapObject());
        FieldType field_type = descriptors.GetFieldType(i);
        bool type_is_none = field_type.IsNone();
        bool type_is_any = field_type.IsAny();
395 396 397
        if (r.IsNone()) {
          CHECK(type_is_none);
        } else if (!type_is_any && !(type_is_none && r.IsHeapObject())) {
398
          CHECK(!field_type.NowStable() || field_type.NowContains(value));
399
        }
400
        CHECK_IMPLIES(is_transitionable_fast_elements_kind,
401
                      Map::IsMostGeneralFieldType(r, field_type));
402 403
      }
    }
404

405 406 407 408 409
    if (map().EnumLength() != kInvalidEnumCacheSentinel) {
      EnumCache enum_cache = descriptors.enum_cache();
      FixedArray keys = enum_cache.keys();
      FixedArray indices = enum_cache.indices();
      CHECK_LE(map().EnumLength(), keys.length());
410
      CHECK_IMPLIES(indices != ReadOnlyRoots(isolate).empty_fixed_array(),
411
                    keys.length() == indices.length());
412
    }
413
  }
414

415 416
  // If a GC was caused while constructing this object, the elements
  // pointer may point to a one pointer filler map.
417
  if (ElementsAreSafeToExamine(isolate)) {
418
    CHECK_EQ((map().has_fast_smi_or_object_elements() ||
419
              map().has_any_nonextensible_elements() ||
420
              (elements() == GetReadOnlyRoots().empty_fixed_array()) ||
421
              HasFastStringWrapperElements()),
422 423 424
             (elements().map() == GetReadOnlyRoots().fixed_array_map() ||
              elements().map() == GetReadOnlyRoots().fixed_cow_array_map()));
    CHECK_EQ(map().has_fast_object_elements(), HasObjectElements());
425
    VerifyJSObjectElements(isolate, *this);
426
  }
427
}
428

429
void Map::MapVerify(Isolate* isolate) {
430
  TorqueGeneratedClassVerifiers::MapVerify(*this, isolate);
431
  Heap* heap = isolate->heap();
432
  CHECK(!ObjectInYoungGeneration(*this));
433
  CHECK(FIRST_TYPE <= instance_type() && instance_type() <= LAST_TYPE);
434
  CHECK(instance_size() == kVariableSizeSentinel ||
435
        (kTaggedSize <= instance_size() &&
436
         static_cast<size_t>(instance_size()) < heap->Capacity()));
437 438 439
  if (IsContextMap()) {
    CHECK(native_context().IsNativeContext());
  } else {
440
    if (GetBackPointer().IsUndefined(isolate)) {
441 442
      // Root maps must not have descriptors in the descriptor array that do not
      // belong to the map.
443 444
      CHECK_EQ(NumberOfOwnDescriptors(),
               instance_descriptors().number_of_descriptors());
445 446
    } else {
      // If there is a parent map it must be non-stable.
447 448 449 450 451 452 453 454 455 456
      Map parent = Map::cast(GetBackPointer());
      CHECK(!parent.is_stable());
      DescriptorArray descriptors = instance_descriptors();
      if (descriptors == parent.instance_descriptors()) {
        if (NumberOfOwnDescriptors() == parent.NumberOfOwnDescriptors() + 1) {
          // Descriptors sharing through property transitions takes over
          // ownership from the parent map.
          CHECK(!parent.owns_descriptors());
        } else {
          CHECK_EQ(NumberOfOwnDescriptors(), parent.NumberOfOwnDescriptors());
457
          // Descriptors sharing through special transitions properly takes over
458 459
          // ownership from the parent map unless it uses the canonical empty
          // descriptor array.
460 461 462 463
          if (descriptors != ReadOnlyRoots(isolate).empty_descriptor_array()) {
            CHECK_IMPLIES(owns_descriptors(), !parent.owns_descriptors());
            CHECK_IMPLIES(parent.owns_descriptors(), !owns_descriptors());
          }
464 465
        }
      }
466
    }
467
  }
468
  SLOW_DCHECK(instance_descriptors().IsSortedNoDuplicates());
469
  DisallowHeapAllocation no_gc;
470
  SLOW_DCHECK(
471 472
      TransitionsAccessor(isolate, *this, &no_gc).IsSortedNoDuplicates());
  SLOW_DCHECK(TransitionsAccessor(isolate, *this, &no_gc)
473
                  .IsConsistentWithBackPointers());
474
  SLOW_DCHECK(!FLAG_unbox_double_fields ||
475
              layout_descriptor().IsConsistentWithMap(*this));
476 477 478
  // Only JSFunction maps have has_prototype_slot() bit set and constructible
  // JSFunction objects must have prototype slot.
  CHECK_IMPLIES(has_prototype_slot(), instance_type() == JS_FUNCTION_TYPE);
479 480 481 482
  if (!may_have_interesting_symbols()) {
    CHECK(!has_named_interceptor());
    CHECK(!is_dictionary_map());
    CHECK(!is_access_check_needed());
483
    DescriptorArray const descriptors = instance_descriptors();
484
    for (InternalIndex i : IterateOwnDescriptors()) {
485
      CHECK(!descriptors.GetKey(i).IsInterestingSymbol());
486 487 488 489 490
    }
  }
  CHECK_IMPLIES(has_named_interceptor(), may_have_interesting_symbols());
  CHECK_IMPLIES(is_dictionary_map(), may_have_interesting_symbols());
  CHECK_IMPLIES(is_access_check_needed(), may_have_interesting_symbols());
491 492
  CHECK_IMPLIES(IsJSObjectMap() && !CanHaveFastTransitionableElementsKind(),
                IsDictionaryElementsKind(elements_kind()) ||
493
                    IsTerminalElementsKind(elements_kind()) ||
494
                    IsAnyHoleyNonextensibleElementsKind(elements_kind()));
495
  CHECK_IMPLIES(is_deprecated(), !is_stable());
496
  if (is_prototype_map()) {
497
    DCHECK(prototype_info() == Smi::zero() ||
498
           prototype_info().IsPrototypeInfo());
499
  }
500 501
}

502 503
void Map::DictionaryMapVerify(Isolate* isolate) {
  MapVerify(isolate);
504
  CHECK(is_dictionary_map());
505
  CHECK_EQ(kInvalidEnumCacheSentinel, EnumLength());
506 507
  CHECK_EQ(ReadOnlyRoots(isolate).empty_descriptor_array(),
           instance_descriptors());
508
  CHECK_EQ(0, UnusedPropertyFields());
509
  CHECK_EQ(Map::GetVisitorId(*this), visitor_id());
510 511
}

512
void EmbedderDataArray::EmbedderDataArrayVerify(Isolate* isolate) {
513
  TorqueGeneratedClassVerifiers::EmbedderDataArrayVerify(*this, isolate);
514 515 516
  EmbedderDataSlot start(*this, 0);
  EmbedderDataSlot end(*this, length());
  for (EmbedderDataSlot slot = start; slot < end; ++slot) {
517
    Object e = slot.load_tagged();
518 519 520 521
    Object::VerifyPointer(isolate, e);
  }
}

522
void WeakFixedArray::WeakFixedArrayVerify(Isolate* isolate) {
523
  TorqueGeneratedClassVerifiers::WeakFixedArrayVerify(*this, isolate);
524
  for (int i = 0; i < length(); i++) {
525
    MaybeObject::VerifyMaybeObjectPointer(isolate, Get(i));
526 527 528
  }
}

529
void PropertyArray::PropertyArrayVerify(Isolate* isolate) {
530
  TorqueGeneratedClassVerifiers::PropertyArrayVerify(*this, isolate);
531
  if (length() == 0) {
532
    CHECK_EQ(*this, ReadOnlyRoots(isolate).empty_property_array());
533 534 535 536
    return;
  }
  // There are no empty PropertyArrays.
  CHECK_LT(0, length());
537
  for (int i = 0; i < length(); i++) {
538
    Object e = get(i);
539
    Object::VerifyPointer(isolate, e);
540 541
  }
}
542

543
void FixedDoubleArray::FixedDoubleArrayVerify(Isolate* isolate) {
544
  TorqueGeneratedClassVerifiers::FixedDoubleArrayVerify(*this, isolate);
545 546
  for (int i = 0; i < length(); i++) {
    if (!is_the_hole(i)) {
547
      uint64_t value = get_representation(i);
548 549
      uint64_t unexpected =
          bit_cast<uint64_t>(std::numeric_limits<double>::quiet_NaN()) &
550
          uint64_t{0x7FF8000000000000};
551
      // Create implementation specific sNaN by inverting relevant bit.
552 553 554
      unexpected ^= uint64_t{0x0008000000000000};
      CHECK((value & uint64_t{0x7FF8000000000000}) != unexpected ||
            (value & uint64_t{0x0007FFFFFFFFFFFF}) == uint64_t{0});
555 556 557 558
    }
  }
}

559
void Context::ContextVerify(Isolate* isolate) {
560
  TorqueGeneratedClassVerifiers::ContextVerify(*this, isolate);
561 562 563 564
  for (int i = 0; i < length(); i++) {
    VerifyObjectField(isolate, OffsetOfElementAt(i));
  }
}
565 566

void NativeContext::NativeContextVerify(Isolate* isolate) {
567
  ContextVerify(isolate);
568
  CHECK_EQ(length(), NativeContext::NATIVE_CONTEXT_SLOTS);
569
  CHECK_EQ(kVariableSizeSentinel, map().instance_size());
570 571
}

572
void FeedbackMetadata::FeedbackMetadataVerify(Isolate* isolate) {
573
  if (slot_count() == 0 && closure_feedback_cell_count() == 0) {
574
    CHECK_EQ(ReadOnlyRoots(isolate).empty_feedback_metadata(), *this);
575
  } else {
576
    FeedbackMetadataIterator iter(*this);
577 578 579 580 581 582 583 584 585
    while (iter.HasNext()) {
      iter.Next();
      FeedbackSlotKind kind = iter.kind();
      CHECK_NE(FeedbackSlotKind::kInvalid, kind);
      CHECK_GT(FeedbackSlotKind::kKindsNumber, kind);
    }
  }
}

586
void DescriptorArray::DescriptorArrayVerify(Isolate* isolate) {
587
  TorqueGeneratedClassVerifiers::DescriptorArrayVerify(*this, isolate);
588
  if (number_of_all_descriptors() == 0) {
589
    CHECK_EQ(ReadOnlyRoots(isolate).empty_descriptor_array(), *this);
590 591
    CHECK_EQ(0, number_of_all_descriptors());
    CHECK_EQ(0, number_of_descriptors());
592
    CHECK_EQ(ReadOnlyRoots(isolate).empty_enum_cache(), enum_cache());
593
  } else {
594 595
    CHECK_LT(0, number_of_all_descriptors());
    CHECK_LE(number_of_descriptors(), number_of_all_descriptors());
596

597 598 599
    // Check that properties with private symbols names are non-enumerable, and
    // that fields are in order.
    int expected_field_index = 0;
600 601 602
    for (InternalIndex descriptor :
         InternalIndex::Range(number_of_descriptors())) {
      Object key = *(GetDescriptorSlot(descriptor.as_int()) + kEntryKeyIndex);
603 604
      // number_of_descriptors() may be out of sync with the actual descriptors
      // written during descriptor array construction.
605
      if (key.IsUndefined(isolate)) continue;
606
      PropertyDetails details = GetDetails(descriptor);
607
      if (Name::cast(key).IsPrivate()) {
608 609
        CHECK_NE(details.attributes() & DONT_ENUM, 0);
      }
610
      MaybeObject value = GetValue(descriptor);
611
      HeapObject heap_object;
612
      if (details.location() == kField) {
613
        CHECK_EQ(details.field_index(), expected_field_index);
614 615 616 617
        CHECK(
            value == MaybeObject::FromObject(FieldType::None()) ||
            value == MaybeObject::FromObject(FieldType::Any()) ||
            value->IsCleared() ||
618
            (value->GetHeapObjectIfWeak(&heap_object) && heap_object.IsMap()));
619
        expected_field_index += details.field_width_in_words();
620
      } else {
621
        CHECK(!value->IsWeakOrCleared());
622
        CHECK(!value->cast<Object>().IsMap());
623
      }
624
    }
625 626
  }
}
627

628 629
void TransitionArray::TransitionArrayVerify(Isolate* isolate) {
  WeakFixedArrayVerify(isolate);
630 631 632
  CHECK_LE(LengthFor(number_of_transitions()), length());
}

633 634 635 636 637
namespace {
void SloppyArgumentsElementsVerify(Isolate* isolate,
                                   SloppyArgumentsElements elements,
                                   JSObject holder) {
  elements.SloppyArgumentsElementsVerify(isolate);
638
  ElementsKind kind = holder.GetElementsKind();
639
  bool is_fast = kind == FAST_SLOPPY_ARGUMENTS_ELEMENTS;
640 641
  Context context_object = elements.context();
  FixedArray arg_elements = elements.arguments();
642
  if (arg_elements.length() == 0) {
643
    CHECK(arg_elements == ReadOnlyRoots(isolate).empty_fixed_array());
644 645 646
    return;
  }
  ElementsAccessor* accessor;
647
  if (is_fast) {
648
    accessor = ElementsAccessor::ForKind(HOLEY_ELEMENTS);
649 650 651
  } else {
    accessor = ElementsAccessor::ForKind(DICTIONARY_ELEMENTS);
  }
652 653
  int nofMappedParameters = 0;
  int maxMappedIndex = 0;
654 655 656
  for (int i = 0; i < nofMappedParameters; i++) {
    // Verify that each context-mapped argument is either the hole or a valid
    // Smi within context length range.
657
    Object mapped = elements.mapped_entries(i);
658
    if (mapped.IsTheHole(isolate)) {
659 660 661 662 663 664 665
      // Slow sloppy arguments can be holey.
      if (!is_fast) continue;
      // Fast sloppy arguments elements are never holey. Either the element is
      // context-mapped or present in the arguments elements.
      CHECK(accessor->HasElement(holder, i, arg_elements));
      continue;
    }
jgruber's avatar
jgruber committed
666
    int mappedIndex = Smi::ToInt(mapped);
667 668 669
    nofMappedParameters++;
    CHECK_LE(maxMappedIndex, mappedIndex);
    maxMappedIndex = mappedIndex;
670 671
    Object value = context_object.get(mappedIndex);
    CHECK(value.IsObject());
672
    // None of the context-mapped entries should exist in the arguments
673
    // elements.
674 675
    CHECK(!accessor->HasElement(holder, i, arg_elements));
  }
676 677 678 679
  CHECK_LE(nofMappedParameters, context_object.length());
  CHECK_LE(nofMappedParameters, arg_elements.length());
  CHECK_LE(maxMappedIndex, context_object.length());
  CHECK_LE(maxMappedIndex, arg_elements.length());
680
}
681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700
}  // namespace

void JSArgumentsObject::JSArgumentsObjectVerify(Isolate* isolate) {
  TorqueGeneratedClassVerifiers::JSArgumentsObjectVerify(*this, isolate);
  if (IsSloppyArgumentsElementsKind(GetElementsKind())) {
    SloppyArgumentsElementsVerify(
        isolate, SloppyArgumentsElements::cast(elements()), *this);
  }
  if (isolate->IsInAnyContext(map(), Context::SLOPPY_ARGUMENTS_MAP_INDEX) ||
      isolate->IsInAnyContext(map(),
                              Context::SLOW_ALIASED_ARGUMENTS_MAP_INDEX) ||
      isolate->IsInAnyContext(map(),
                              Context::FAST_ALIASED_ARGUMENTS_MAP_INDEX)) {
    VerifyObjectField(isolate, JSSloppyArgumentsObject::kLengthOffset);
    VerifyObjectField(isolate, JSSloppyArgumentsObject::kCalleeOffset);
  } else if (isolate->IsInAnyContext(map(),
                                     Context::STRICT_ARGUMENTS_MAP_INDEX)) {
    VerifyObjectField(isolate, JSStrictArgumentsObject::kLengthOffset);
  }
}
701

702
void JSAsyncFunctionObject::JSAsyncFunctionObjectVerify(Isolate* isolate) {
703
  TorqueGeneratedClassVerifiers::JSAsyncFunctionObjectVerify(*this, isolate);
704
  promise().HeapObjectVerify(isolate);
705 706
}

707
void JSAsyncGeneratorObject::JSAsyncGeneratorObjectVerify(Isolate* isolate) {
708
  TorqueGeneratedClassVerifiers::JSAsyncGeneratorObjectVerify(*this, isolate);
709
  queue().HeapObjectVerify(isolate);
710
}
711

712
void JSDate::JSDateVerify(Isolate* isolate) {
713
  TorqueGeneratedClassVerifiers::JSDateVerify(*this, isolate);
714

715
  if (month().IsSmi()) {
jgruber's avatar
jgruber committed
716
    int month = Smi::ToInt(this->month());
717 718
    CHECK(0 <= month && month <= 11);
  }
719
  if (day().IsSmi()) {
jgruber's avatar
jgruber committed
720
    int day = Smi::ToInt(this->day());
721 722
    CHECK(1 <= day && day <= 31);
  }
723
  if (hour().IsSmi()) {
jgruber's avatar
jgruber committed
724
    int hour = Smi::ToInt(this->hour());
725 726
    CHECK(0 <= hour && hour <= 23);
  }
727
  if (min().IsSmi()) {
jgruber's avatar
jgruber committed
728
    int min = Smi::ToInt(this->min());
729 730
    CHECK(0 <= min && min <= 59);
  }
731
  if (sec().IsSmi()) {
jgruber's avatar
jgruber committed
732
    int sec = Smi::ToInt(this->sec());
733 734
    CHECK(0 <= sec && sec <= 59);
  }
735
  if (weekday().IsSmi()) {
jgruber's avatar
jgruber committed
736
    int weekday = Smi::ToInt(this->weekday());
737
    CHECK(0 <= weekday && weekday <= 6);
738
  }
739
  if (cache_stamp().IsSmi()) {
jgruber's avatar
jgruber committed
740 741
    CHECK(Smi::ToInt(cache_stamp()) <=
          Smi::ToInt(isolate->date_cache()->stamp()));
742
  }
743 744
}

745
USE_TORQUE_VERIFIER(JSMessageObject)
746

747
void String::StringVerify(Isolate* isolate) {
748
  TorqueGeneratedClassVerifiers::StringVerify(*this, isolate);
749
  CHECK(length() >= 0 && length() <= Smi::kMaxValue);
750
  CHECK_IMPLIES(length() == 0, *this == ReadOnlyRoots(isolate).empty_string());
751
  if (IsInternalizedString()) {
752
    CHECK(!ObjectInYoungGeneration(*this));
753
  }
754 755
}

756
void ConsString::ConsStringVerify(Isolate* isolate) {
757
  TorqueGeneratedClassVerifiers::ConsStringVerify(*this, isolate);
758
  CHECK_GE(this->length(), ConsString::kMinLength);
759
  CHECK(this->length() == this->first().length() + this->second().length());
760
  if (this->IsFlat()) {
761 762
    // A flat cons can only be created by String::SlowFlatten.
    // Afterwards, the first part may be externalized or internalized.
763 764
    CHECK(this->first().IsSeqString() || this->first().IsExternalString() ||
          this->first().IsThinString());
765 766 767
  }
}

768
void ThinString::ThinStringVerify(Isolate* isolate) {
769
  TorqueGeneratedClassVerifiers::ThinStringVerify(*this, isolate);
770 771
  CHECK(this->actual().IsInternalizedString());
  CHECK(this->actual().IsSeqString() || this->actual().IsExternalString());
772
}
773

774
void SlicedString::SlicedStringVerify(Isolate* isolate) {
775
  TorqueGeneratedClassVerifiers::SlicedStringVerify(*this, isolate);
776 777
  CHECK(!this->parent().IsConsString());
  CHECK(!this->parent().IsSlicedString());
778
  CHECK_GE(this->length(), SlicedString::kMinLength);
779 780
}

781 782
USE_TORQUE_VERIFIER(ExternalString)

783
void JSBoundFunction::JSBoundFunctionVerify(Isolate* isolate) {
784
  TorqueGeneratedClassVerifiers::JSBoundFunctionVerify(*this, isolate);
785
  CHECK(IsCallable());
786
  CHECK_EQ(IsConstructor(), bound_target_function().IsConstructor());
787
}
788

789
void JSFunction::JSFunctionVerify(Isolate* isolate) {
790
  TorqueGeneratedClassVerifiers::JSFunctionVerify(*this, isolate);
791 792
  CHECK(code().IsCode());
  CHECK(map().is_callable());
793
  Handle<JSFunction> function(*this, isolate);
794 795
  LookupIterator it(isolate, function, isolate->factory()->prototype_string(),
                    LookupIterator::OWN_SKIP_INTERCEPTOR);
796
  if (has_prototype_slot()) {
797
    VerifyObjectField(isolate, kPrototypeOrInitialMapOffset);
798
  }
799 800 801 802 803 804 805 806 807

  if (has_prototype_property()) {
    CHECK(it.IsFound());
    CHECK_EQ(LookupIterator::ACCESSOR, it.state());
    CHECK(it.GetAccessors()->IsAccessorInfo());
  } else {
    CHECK(!it.IsFound() || it.state() != LookupIterator::ACCESSOR ||
          !it.GetAccessors()->IsAccessorInfo());
  }
808 809
}

810
void SharedFunctionInfo::SharedFunctionInfoVerify(Isolate* isolate) {
811
  // TODO(leszeks): Add a TorqueGeneratedClassVerifier for OffThreadIsolate.
812
  TorqueGeneratedClassVerifiers::SharedFunctionInfoVerify(*this, isolate);
813 814 815 816 817 818
  this->SharedFunctionInfoVerify(ReadOnlyRoots(isolate));
}

void SharedFunctionInfo::SharedFunctionInfoVerify(OffThreadIsolate* isolate) {
  this->SharedFunctionInfoVerify(ReadOnlyRoots(isolate));
}
819

820
void SharedFunctionInfo::SharedFunctionInfoVerify(ReadOnlyRoots roots) {
821
  Object value = name_or_scope_info();
822 823
  if (value.IsScopeInfo()) {
    CHECK_LT(0, ScopeInfo::cast(value).length());
824
    CHECK_NE(value, roots.empty_scope_info());
825
  }
826

827 828
  CHECK(HasWasmExportedFunctionData() || IsApiFunction() ||
        HasBytecodeArray() || HasAsmWasmData() || HasBuiltinId() ||
829
        HasUncompiledDataWithPreparseData() ||
830 831
        HasUncompiledDataWithoutPreparseData() || HasWasmJSFunctionData() ||
        HasWasmCapiFunctionData());
832

833
  CHECK(script_or_debug_info().IsUndefined(roots) ||
834
        script_or_debug_info().IsScript() || HasDebugInfo());
835

836 837
  if (!is_compiled()) {
    CHECK(!HasFeedbackMetadata());
838
    CHECK(outer_scope_info().IsScopeInfo() ||
839
          outer_scope_info().IsTheHole(roots));
840
  } else if (HasBytecodeArray() && HasFeedbackMetadata()) {
841
    CHECK(feedback_metadata().IsFeedbackMetadata());
842 843
  }

844
  int expected_map_index = Context::FunctionMapIndex(
845
      language_mode(), kind(), HasSharedName(), needs_home_object());
846 847
  CHECK_EQ(expected_map_index, function_map_index());

848
  if (scope_info().length() > 0) {
849
    ScopeInfo info = scope_info();
850
    CHECK(kind() == info.function_kind());
851
    CHECK_EQ(internal::IsModule(kind()), info.scope_type() == MODULE_SCOPE);
852
  }
853 854 855 856 857 858 859 860 861 862 863 864 865

  if (IsApiFunction()) {
    CHECK(construct_as_builtin());
  } else if (!HasBuiltinId()) {
    CHECK(!construct_as_builtin());
  } else {
    int id = builtin_id();
    if (id != Builtins::kCompileLazy && id != Builtins::kEmptyFunction) {
      CHECK(construct_as_builtin());
    } else {
      CHECK(!construct_as_builtin());
    }
  }
866 867 868 869 870

  // At this point we only support skipping arguments adaptor frames
  // for strict mode functions (see https://crbug.com/v8/8895).
  CHECK_IMPLIES(is_safe_to_skip_arguments_adaptor(),
                language_mode() == LanguageMode::kStrict);
871
}
872

873
void JSGlobalProxy::JSGlobalProxyVerify(Isolate* isolate) {
874
  TorqueGeneratedClassVerifiers::JSGlobalProxyVerify(*this, isolate);
875
  CHECK(map().is_access_check_needed());
876
  // Make sure that this object has no properties, elements.
877
  CHECK_EQ(0, FixedArray::cast(elements()).length());
878
}
879

880
void JSGlobalObject::JSGlobalObjectVerify(Isolate* isolate) {
881
  CHECK(IsJSGlobalObject());
yangguo's avatar
yangguo committed
882
  // Do not check the dummy global object for the builtins.
883
  if (global_dictionary().NumberOfElements() == 0 && elements().length() == 0) {
yangguo's avatar
yangguo committed
884
    return;
885
  }
886
  JSObjectVerify(isolate);
887 888
}

889
void Oddball::OddballVerify(Isolate* isolate) {
890
  TorqueGeneratedOddball::OddballVerify(isolate);
891
  Heap* heap = isolate->heap();
892
  Object number = to_number();
893
  if (number.IsHeapObject()) {
894 895
    CHECK(number == ReadOnlyRoots(heap).nan_value() ||
          number == ReadOnlyRoots(heap).hole_nan_value());
896
  } else {
897
    CHECK(number.IsSmi());
jgruber's avatar
jgruber committed
898
    int value = Smi::ToInt(number);
899
    // Hidden oddballs have negative smis.
900
    const int kLeastHiddenOddballNumber = -7;
901
    CHECK_LE(value, 1);
902
    CHECK_GE(value, kLeastHiddenOddballNumber);
903
  }
904 905 906

  ReadOnlyRoots roots(heap);
  if (map() == roots.undefined_map()) {
907
    CHECK(*this == roots.undefined_value());
908
  } else if (map() == roots.the_hole_map()) {
909
    CHECK(*this == roots.the_hole_value());
910
  } else if (map() == roots.null_map()) {
911
    CHECK(*this == roots.null_value());
912
  } else if (map() == roots.boolean_map()) {
913
    CHECK(*this == roots.true_value() || *this == roots.false_value());
914
  } else if (map() == roots.uninitialized_map()) {
915
    CHECK(*this == roots.uninitialized_value());
916
  } else if (map() == roots.arguments_marker_map()) {
917
    CHECK(*this == roots.arguments_marker());
918
  } else if (map() == roots.termination_exception_map()) {
919
    CHECK(*this == roots.termination_exception());
920
  } else if (map() == roots.exception_map()) {
921
    CHECK(*this == roots.exception());
922
  } else if (map() == roots.optimized_out_map()) {
923
    CHECK(*this == roots.optimized_out());
924
  } else if (map() == roots.stale_register_map()) {
925
    CHECK(*this == roots.stale_register());
926
  } else if (map() == roots.self_reference_marker_map()) {
927 928
    // Multiple instances of this oddball may exist at once.
    CHECK_EQ(kind(), Oddball::kSelfReferenceMarker);
929 930
  } else if (map() == roots.basic_block_counters_marker_map()) {
    CHECK(*this == roots.basic_block_counters_marker());
931 932 933
  } else {
    UNREACHABLE();
  }
934 935
}

936
USE_TORQUE_VERIFIER(PropertyCell)
937

938
void CodeDataContainer::CodeDataContainerVerify(Isolate* isolate) {
939
  CHECK(IsCodeDataContainer());
940
  VerifyObjectField(isolate, kNextCodeLinkOffset);
941
  CHECK(next_code_link().IsCode() || next_code_link().IsUndefined(isolate));
942
}
ulan@chromium.org's avatar
ulan@chromium.org committed
943

944
void Code::CodeVerify(Isolate* isolate) {
945 946 947 948
  CHECK_IMPLIES(
      has_safepoint_table(),
      IsAligned(safepoint_table_offset(), static_cast<unsigned>(kIntSize)));
  CHECK_LE(safepoint_table_offset(), handler_table_offset());
949
  CHECK_LE(handler_table_offset(), constant_pool_offset());
950 951
  CHECK_LE(constant_pool_offset(), code_comments_offset());
  CHECK_LE(code_comments_offset(), InstructionSize());
952 953 954 955 956 957 958
  CHECK_IMPLIES(!ReadOnlyHeap::Contains(*this),
                IsAligned(raw_instruction_start(), kCodeAlignment));
  // TODO(delphick): Refactor Factory::CodeBuilder::BuildInternal, so that the
  // following CHECK works builtin trampolines. It currently fails because
  // CodeVerify is called halfway through constructing the trampoline and so not
  // everything is set up.
  // CHECK_EQ(ReadOnlyHeap::Contains(*this), !IsExecutable());
959
  relocation_info().ObjectVerify(isolate);
960 961
  CHECK(Code::SizeFor(body_size()) <= kMaxRegularHeapObjectSize ||
        isolate->heap()->InSpace(*this, CODE_LO_SPACE));
962
  Address last_gc_pc = kNullAddress;
963

964
  for (RelocIterator it(*this); !it.done(); it.next()) {
965
    it.rinfo()->Verify(isolate);
966
    // Ensure that GC will not iterate twice over the same pointer.
967
    if (RelocInfo::IsGCRelocMode(it.rinfo()->rmode())) {
968 969 970
      CHECK(it.rinfo()->pc() != last_gc_pc);
      last_gc_pc = it.rinfo()->pc();
    }
971 972 973
  }
}

974
void JSArray::JSArrayVerify(Isolate* isolate) {
975
  TorqueGeneratedClassVerifiers::JSArrayVerify(*this, isolate);
976 977
  // If a GC was caused while constructing this array, the elements
  // pointer may point to a one pointer filler map.
978
  if (!ElementsAreSafeToExamine(isolate)) return;
979 980 981
  if (elements().IsUndefined(isolate)) return;
  CHECK(elements().IsFixedArray() || elements().IsFixedDoubleArray());
  if (elements().length() == 0) {
982
    CHECK_EQ(elements(), ReadOnlyRoots(isolate).empty_fixed_array());
983
  }
984
  // Verify that the length and the elements backing store are in sync.
985 986
  if (length().IsSmi() &&
      (HasFastElements() || HasAnyNonextensibleElements())) {
987 988
    if (elements().length() > 0) {
      CHECK_IMPLIES(HasDoubleElements(), elements().IsFixedDoubleArray());
989
      CHECK_IMPLIES(HasSmiOrObjectElements() || HasAnyNonextensibleElements(),
990
                    elements().IsFixedArray());
991
    }
jgruber's avatar
jgruber committed
992
    int size = Smi::ToInt(length());
993 994
    // Holey / Packed backing stores might have slack or might have not been
    // properly initialized yet.
995
    CHECK(size <= elements().length() ||
996
          elements() == ReadOnlyRoots(isolate).empty_fixed_array());
997 998
  } else {
    CHECK(HasDictionaryElements());
999
    uint32_t array_length;
1000
    CHECK(length().ToArrayLength(&array_length));
1001
    if (array_length == 0xFFFFFFFF) {
1002
      CHECK(length().ToArrayLength(&array_length));
1003 1004
    }
    if (array_length != 0) {
1005
      NumberDictionary dict = NumberDictionary::cast(elements());
1006 1007 1008
      // The dictionary can never have more elements than the array length + 1.
      // If the backing store grows the verification might be triggered with
      // the old length in place.
1009
      uint32_t nof_elements = static_cast<uint32_t>(dict.NumberOfElements());
1010 1011
      if (nof_elements != 0) nof_elements--;
      CHECK_LE(nof_elements, array_length);
1012
    }
1013
  }
1014 1015
}

1016
void JSSet::JSSetVerify(Isolate* isolate) {
1017
  TorqueGeneratedClassVerifiers::JSSetVerify(*this, isolate);
1018
  CHECK(table().IsOrderedHashSet() || table().IsUndefined(isolate));
1019
  // TODO(arv): Verify OrderedHashTable too.
1020 1021
}

1022
void JSMap::JSMapVerify(Isolate* isolate) {
1023
  TorqueGeneratedClassVerifiers::JSMapVerify(*this, isolate);
1024
  CHECK(table().IsOrderedHashMap() || table().IsUndefined(isolate));
1025 1026 1027
  // TODO(arv): Verify OrderedHashTable too.
}

1028
void JSSetIterator::JSSetIteratorVerify(Isolate* isolate) {
1029
  CHECK(IsJSSetIterator());
1030
  JSCollectionIteratorVerify(isolate);
1031 1032
  CHECK(table().IsOrderedHashSet());
  CHECK(index().IsSmi());
1033 1034
}

1035
void JSMapIterator::JSMapIteratorVerify(Isolate* isolate) {
1036
  CHECK(IsJSMapIterator());
1037
  JSCollectionIteratorVerify(isolate);
1038 1039
  CHECK(table().IsOrderedHashMap());
  CHECK(index().IsSmi());
1040 1041
}

1042 1043
void WeakCell::WeakCellVerify(Isolate* isolate) {
  CHECK(IsWeakCell());
1044

1045
  CHECK(target().IsJSReceiver() || target().IsUndefined(isolate));
1046

1047 1048 1049
  CHECK(prev().IsWeakCell() || prev().IsUndefined(isolate));
  if (prev().IsWeakCell()) {
    CHECK_EQ(WeakCell::cast(prev()).next(), *this);
1050 1051
  }

1052 1053 1054
  CHECK(next().IsWeakCell() || next().IsUndefined(isolate));
  if (next().IsWeakCell()) {
    CHECK_EQ(WeakCell::cast(next()).prev(), *this);
1055
  }
1056

1057
  CHECK_IMPLIES(unregister_token().IsUndefined(isolate),
1058
                key_list_prev().IsUndefined(isolate));
1059
  CHECK_IMPLIES(unregister_token().IsUndefined(isolate),
1060
                key_list_next().IsUndefined(isolate));
1061

1062
  CHECK(key_list_prev().IsWeakCell() || key_list_prev().IsUndefined(isolate));
1063

1064
  CHECK(key_list_next().IsWeakCell() || key_list_next().IsUndefined(isolate));
1065

1066 1067
  CHECK(finalization_registry().IsUndefined(isolate) ||
        finalization_registry().IsJSFinalizationRegistry());
1068 1069
}

1070 1071 1072
void JSWeakRef::JSWeakRefVerify(Isolate* isolate) {
  CHECK(IsJSWeakRef());
  JSObjectVerify(isolate);
1073
  CHECK(target().IsUndefined(isolate) || target().IsJSReceiver());
1074 1075
}

1076 1077
void JSFinalizationRegistry::JSFinalizationRegistryVerify(Isolate* isolate) {
  CHECK(IsJSFinalizationRegistry());
1078 1079
  JSObjectVerify(isolate);
  VerifyHeapPointer(isolate, cleanup());
1080 1081 1082
  CHECK(active_cells().IsUndefined(isolate) || active_cells().IsWeakCell());
  if (active_cells().IsWeakCell()) {
    CHECK(WeakCell::cast(active_cells()).prev().IsUndefined(isolate));
1083
  }
1084 1085 1086
  CHECK(cleared_cells().IsUndefined(isolate) || cleared_cells().IsWeakCell());
  if (cleared_cells().IsWeakCell()) {
    CHECK(WeakCell::cast(cleared_cells()).prev().IsUndefined(isolate));
1087
  }
1088
  CHECK(next_dirty().IsUndefined(isolate) ||
1089
        next_dirty().IsJSFinalizationRegistry());
1090 1091
}

1092
void JSWeakMap::JSWeakMapVerify(Isolate* isolate) {
1093
  TorqueGeneratedClassVerifiers::JSWeakMapVerify(*this, isolate);
1094
  CHECK(table().IsEphemeronHashTable() || table().IsUndefined(isolate));
1095 1096
}

1097
void JSArrayIterator::JSArrayIteratorVerify(Isolate* isolate) {
1098
  TorqueGeneratedClassVerifiers::JSArrayIteratorVerify(*this, isolate);
1099

1100 1101
  CHECK_GE(next_index().Number(), 0);
  CHECK_LE(next_index().Number(), kMaxSafeInteger);
1102

1103
  if (iterated_object().IsJSTypedArray()) {
1104
    // JSTypedArray::length is limited to Smi range.
1105 1106 1107
    CHECK(next_index().IsSmi());
    CHECK_LE(next_index().Number(), Smi::kMaxValue);
  } else if (iterated_object().IsJSArray()) {
1108
    // JSArray::length is limited to Uint32 range.
1109
    CHECK_LE(next_index().Number(), kMaxUInt32);
1110
  }
1111 1112
}

1113
void JSStringIterator::JSStringIteratorVerify(Isolate* isolate) {
1114
  TorqueGeneratedClassVerifiers::JSStringIteratorVerify(*this, isolate);
1115 1116 1117
  CHECK_GE(index(), 0);
  CHECK_LE(index(), String::kMaxLength);
}
1118

1119
void JSWeakSet::JSWeakSetVerify(Isolate* isolate) {
1120
  TorqueGeneratedClassVerifiers::JSWeakSetVerify(*this, isolate);
1121
  CHECK(table().IsEphemeronHashTable() || table().IsUndefined(isolate));
1122 1123
}

1124
void CallableTask::CallableTaskVerify(Isolate* isolate) {
1125
  TorqueGeneratedClassVerifiers::CallableTaskVerify(*this, isolate);
1126
  CHECK(callable().IsCallable());
1127 1128
}

1129
void JSPromise::JSPromiseVerify(Isolate* isolate) {
1130
  TorqueGeneratedClassVerifiers::JSPromiseVerify(*this, isolate);
1131
  if (status() == Promise::kPending) {
1132
    CHECK(reactions().IsSmi() || reactions().IsPromiseReaction());
1133
  }
1134
}
1135

1136
template <typename Derived>
1137 1138
void SmallOrderedHashTable<Derived>::SmallOrderedHashTableVerify(
    Isolate* isolate) {
1139
  CHECK(IsSmallOrderedHashTable());
1140

1141 1142 1143 1144
  int capacity = Capacity();
  CHECK_GE(capacity, kMinCapacity);
  CHECK_LE(capacity, kMaxCapacity);

1145 1146 1147
  for (int entry = 0; entry < NumberOfBuckets(); entry++) {
    int bucket = GetFirstEntry(entry);
    if (bucket == kNotFound) continue;
1148 1149
    CHECK_GE(bucket, 0);
    CHECK_LE(bucket, capacity);
1150 1151 1152 1153 1154
  }

  for (int entry = 0; entry < NumberOfElements(); entry++) {
    int chain = GetNextEntry(entry);
    if (chain == kNotFound) continue;
1155 1156 1157
    CHECK_GE(chain, 0);
    CHECK_LE(chain, capacity);
  }
1158

1159
  for (int entry = 0; entry < NumberOfElements(); entry++) {
1160
    for (int offset = 0; offset < Derived::kEntrySize; offset++) {
1161
      Object val = GetDataEntry(entry, offset);
1162
      VerifyPointer(isolate, val);
1163
    }
1164 1165
  }

1166 1167 1168 1169
  for (int entry = NumberOfElements() + NumberOfDeletedElements();
       entry < Capacity(); entry++) {
    for (int offset = 0; offset < Derived::kEntrySize; offset++) {
      Object val = GetDataEntry(entry, offset);
1170
      CHECK(val.IsTheHole(isolate));
1171 1172 1173 1174 1175 1176
    }
  }
}
void SmallOrderedHashMap::SmallOrderedHashMapVerify(Isolate* isolate) {
  SmallOrderedHashTable<SmallOrderedHashMap>::SmallOrderedHashTableVerify(
      isolate);
1177 1178
  for (int entry = NumberOfElements(); entry < NumberOfDeletedElements();
       entry++) {
1179
    for (int offset = 0; offset < kEntrySize; offset++) {
1180
      Object val = GetDataEntry(entry, offset);
1181
      CHECK(val.IsTheHole(isolate));
1182
    }
1183
  }
1184
}
1185

1186 1187 1188 1189 1190 1191
void SmallOrderedHashSet::SmallOrderedHashSetVerify(Isolate* isolate) {
  SmallOrderedHashTable<SmallOrderedHashSet>::SmallOrderedHashTableVerify(
      isolate);
  for (int entry = NumberOfElements(); entry < NumberOfDeletedElements();
       entry++) {
    for (int offset = 0; offset < kEntrySize; offset++) {
1192
      Object val = GetDataEntry(entry, offset);
1193
      CHECK(val.IsTheHole(isolate));
1194
    }
1195 1196 1197
  }
}

1198 1199 1200 1201 1202 1203 1204 1205
void SmallOrderedNameDictionary::SmallOrderedNameDictionaryVerify(
    Isolate* isolate) {
  SmallOrderedHashTable<
      SmallOrderedNameDictionary>::SmallOrderedHashTableVerify(isolate);
  for (int entry = NumberOfElements(); entry < NumberOfDeletedElements();
       entry++) {
    for (int offset = 0; offset < kEntrySize; offset++) {
      Object val = GetDataEntry(entry, offset);
1206
      CHECK(val.IsTheHole(isolate) ||
1207 1208 1209 1210
            (PropertyDetails::Empty().AsSmi() == Smi::cast(val)));
    }
  }
}
1211

1212
void JSRegExp::JSRegExpVerify(Isolate* isolate) {
1213
  TorqueGeneratedClassVerifiers::JSRegExpVerify(*this, isolate);
1214 1215
  switch (TypeTag()) {
    case JSRegExp::ATOM: {
1216
      FixedArray arr = FixedArray::cast(data());
1217
      CHECK(arr.get(JSRegExp::kAtomPatternIndex).IsString());
1218
      break;
1219
    }
1220
    case JSRegExp::IRREGEXP: {
Ana Peško's avatar
Ana Peško committed
1221
      bool can_be_interpreted = RegExp::CanGenerateBytecode();
1222

1223
      FixedArray arr = FixedArray::cast(data());
1224
      Object one_byte_data = arr.get(JSRegExp::kIrregexpLatin1CodeIndex);
1225
      // Smi : Not compiled yet (-1).
1226
      // Code: Compiled irregexp code or trampoline to the interpreter.
1227 1228
      CHECK((one_byte_data.IsSmi() &&
             Smi::ToInt(one_byte_data) == JSRegExp::kUninitializedValue) ||
1229
            one_byte_data.IsCode());
1230 1231
      Object uc16_data = arr.get(JSRegExp::kIrregexpUC16CodeIndex);
      CHECK((uc16_data.IsSmi() &&
jgruber's avatar
jgruber committed
1232
             Smi::ToInt(uc16_data) == JSRegExp::kUninitializedValue) ||
1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248
            uc16_data.IsCode());

      Object one_byte_bytecode =
          arr.get(JSRegExp::kIrregexpLatin1BytecodeIndex);
      // Smi : Not compiled yet (-1).
      // ByteArray: Bytecode to interpret regexp.
      CHECK((one_byte_bytecode.IsSmi() &&
             Smi::ToInt(one_byte_bytecode) == JSRegExp::kUninitializedValue) ||
            (can_be_interpreted && one_byte_bytecode.IsByteArray()));
      Object uc16_bytecode = arr.get(JSRegExp::kIrregexpUC16BytecodeIndex);
      CHECK((uc16_bytecode.IsSmi() &&
             Smi::ToInt(uc16_bytecode) == JSRegExp::kUninitializedValue) ||
            (can_be_interpreted && uc16_bytecode.IsByteArray()));

      CHECK_IMPLIES(one_byte_data.IsSmi(), one_byte_bytecode.IsSmi());
      CHECK_IMPLIES(uc16_data.IsSmi(), uc16_bytecode.IsSmi());
1249

1250 1251
      CHECK(arr.get(JSRegExp::kIrregexpCaptureCountIndex).IsSmi());
      CHECK(arr.get(JSRegExp::kIrregexpMaxRegisterCountIndex).IsSmi());
1252
      CHECK(arr.get(JSRegExp::kIrregexpTicksUntilTierUpIndex).IsSmi());
1253
      CHECK(arr.get(JSRegExp::kIrregexpBacktrackLimit).IsSmi());
1254 1255 1256
      break;
    }
    default:
1257
      CHECK_EQ(JSRegExp::NOT_COMPILED, TypeTag());
1258
      CHECK(data().IsUndefined(isolate));
1259
      break;
1260
  }
1261 1262
}

1263
void JSProxy::JSProxyVerify(Isolate* isolate) {
1264
  TorqueGeneratedClassVerifiers::JSProxyVerify(*this, isolate);
1265
  CHECK(map().GetConstructor().IsJSFunction());
1266
  if (!IsRevoked()) {
1267 1268
    CHECK_EQ(target().IsCallable(), map().is_callable());
    CHECK_EQ(target().IsConstructor(), map().is_constructor());
1269
  }
1270
  CHECK(map().prototype().IsNull(isolate));
1271
  // There should be no properties on a Proxy.
1272
  CHECK_EQ(0, map().NumberOfOwnDescriptors());
1273 1274
}

1275
void JSArrayBuffer::JSArrayBufferVerify(Isolate* isolate) {
1276
  TorqueGeneratedClassVerifiers::JSArrayBufferVerify(*this, isolate);
1277
  if (FIELD_SIZE(kOptionalPaddingOffset) != 0) {
1278 1279 1280 1281
    CHECK_EQ(4, FIELD_SIZE(kOptionalPaddingOffset));
    CHECK_EQ(0,
             *reinterpret_cast<uint32_t*>(address() + kOptionalPaddingOffset));
  }
1282 1283
}

1284
void JSArrayBufferView::JSArrayBufferViewVerify(Isolate* isolate) {
1285
  TorqueGeneratedClassVerifiers::JSArrayBufferViewVerify(*this, isolate);
1286 1287
  CHECK_LE(byte_length(), JSArrayBuffer::kMaxByteLength);
  CHECK_LE(byte_offset(), JSArrayBuffer::kMaxByteLength);
1288 1289
}

1290
void JSTypedArray::JSTypedArrayVerify(Isolate* isolate) {
1291
  TorqueGeneratedClassVerifiers::JSTypedArrayVerify(*this, isolate);
1292
  CHECK_LE(length(), JSTypedArray::kMaxLength);
1293 1294
}

1295
void JSDataView::JSDataViewVerify(Isolate* isolate) {
1296
  TorqueGeneratedClassVerifiers::JSDataViewVerify(*this, isolate);
1297 1298 1299 1300 1301 1302 1303
  if (!WasDetached()) {
    CHECK_EQ(reinterpret_cast<uint8_t*>(
                 JSArrayBuffer::cast(buffer()).backing_store()) +
                 byte_offset(),
             data_pointer());
  }
}
1304

1305
void AsyncGeneratorRequest::AsyncGeneratorRequestVerify(Isolate* isolate) {
1306
  TorqueGeneratedClassVerifiers::AsyncGeneratorRequestVerify(*this, isolate);
1307 1308
  CHECK_GE(resume_mode(), JSGeneratorObject::kNext);
  CHECK_LE(resume_mode(), JSGeneratorObject::kThrow);
1309
  next().ObjectVerify(isolate);
1310 1311
}

1312 1313
void BigIntBase::BigIntBaseVerify(Isolate* isolate) {
  TorqueGeneratedClassVerifiers::BigIntBaseVerify(*this, isolate);
1314 1315 1316
  CHECK_GE(length(), 0);
  CHECK_IMPLIES(is_zero(), !sign());  // There is no -0n.
}
1317

1318 1319 1320 1321
void SourceTextModuleInfoEntry::SourceTextModuleInfoEntryVerify(
    Isolate* isolate) {
  TorqueGeneratedClassVerifiers::SourceTextModuleInfoEntryVerify(*this,
                                                                 isolate);
1322 1323 1324
  CHECK_IMPLIES(import_name().IsString(), module_request() >= 0);
  CHECK_IMPLIES(export_name().IsString() && import_name().IsString(),
                local_name().IsUndefined(isolate));
1325 1326
}

1327 1328
void Module::ModuleVerify(Isolate* isolate) {
  TorqueGeneratedClassVerifiers::ModuleVerify(*this, isolate);
1329

1330
  CHECK_EQ(status() == Module::kErrored, !exception().IsTheHole(isolate));
1331

1332 1333 1334 1335 1336
  CHECK(module_namespace().IsUndefined(isolate) ||
        module_namespace().IsJSModuleNamespace());
  if (module_namespace().IsJSModuleNamespace()) {
    CHECK_LE(Module::kInstantiating, status());
    CHECK_EQ(JSModuleNamespace::cast(module_namespace()).module(), *this);
1337 1338
  }

1339
  CHECK_NE(hash(), 0);
1340
}
1341

1342
void SourceTextModule::SourceTextModuleVerify(Isolate* isolate) {
1343
  TorqueGeneratedClassVerifiers::SourceTextModuleVerify(*this, isolate);
1344

1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356
  if (status() == kErrored) {
    CHECK(code().IsSourceTextModuleInfo());
  } else if (status() == kEvaluating || status() == kEvaluated) {
    CHECK(code().IsJSGeneratorObject());
  } else {
    CHECK((status() == kInstantiated && code().IsJSGeneratorObject()) ||
          (status() == kInstantiating && code().IsJSFunction()) ||
          (status() == kPreInstantiating && code().IsSharedFunctionInfo()) ||
          (status() == kUninstantiated && code().IsSharedFunctionInfo()));
    CHECK(top_level_capability().IsUndefined() && !AsyncParentModuleCount() &&
          !pending_async_dependencies() && !async_evaluating());
  }
1357

1358
  CHECK_EQ(requested_modules().length(), info().module_requests().length());
1359
}
1360

1361 1362 1363 1364 1365 1366 1367 1368
void SyntheticModule::SyntheticModuleVerify(Isolate* isolate) {
  TorqueGeneratedClassVerifiers::SyntheticModuleVerify(*this, isolate);

  for (int i = 0; i < export_names().length(); i++) {
    CHECK(export_names().get(i).IsString());
  }
}

1369
void PrototypeInfo::PrototypeInfoVerify(Isolate* isolate) {
1370
  TorqueGeneratedClassVerifiers::PrototypeInfoVerify(*this, isolate);
1371
  if (prototype_users().IsWeakArrayList()) {
1372
    PrototypeUsers::Verify(WeakArrayList::cast(prototype_users()));
1373
  } else {
1374
    CHECK(prototype_users().IsSmi());
1375 1376 1377
  }
}

1378
void PrototypeUsers::Verify(WeakArrayList array) {
1379
  if (array.length() == 0) {
1380 1381 1382 1383 1384 1385 1386 1387
    // Allow empty & uninitialized lists.
    return;
  }
  // Verify empty slot chain.
  int empty_slot = Smi::ToInt(empty_slot_index(array));
  int empty_slots_count = 0;
  while (empty_slot != kNoEmptySlotsMarker) {
    CHECK_GT(empty_slot, 0);
1388 1389
    CHECK_LT(empty_slot, array.length());
    empty_slot = array.Get(empty_slot).ToSmi().value();
1390 1391 1392 1393 1394 1395
    ++empty_slots_count;
  }

  // Verify that all elements are either weak pointers or SMIs marking empty
  // slots.
  int weak_maps_count = 0;
1396
  for (int i = kFirstIndex; i < array.length(); ++i) {
1397
    HeapObject heap_object;
1398 1399
    MaybeObject object = array.Get(i);
    if ((object->GetHeapObjectIfWeak(&heap_object) && heap_object.IsMap()) ||
1400
        object->IsCleared()) {
1401 1402 1403 1404 1405 1406
      ++weak_maps_count;
    } else {
      CHECK(object->IsSmi());
    }
  }

1407
  CHECK_EQ(weak_maps_count + empty_slots_count + 1, array.length());
1408 1409
}

1410
void EnumCache::EnumCacheVerify(Isolate* isolate) {
1411
  TorqueGeneratedClassVerifiers::EnumCacheVerify(*this, isolate);
1412
  Heap* heap = isolate->heap();
1413
  if (*this == ReadOnlyRoots(heap).empty_enum_cache()) {
1414 1415
    CHECK_EQ(ReadOnlyRoots(heap).empty_fixed_array(), keys());
    CHECK_EQ(ReadOnlyRoots(heap).empty_fixed_array(), indices());
1416
  }
1417 1418
}

1419 1420 1421 1422 1423 1424 1425 1426
void ObjectBoilerplateDescription::ObjectBoilerplateDescriptionVerify(
    Isolate* isolate) {
  CHECK(IsObjectBoilerplateDescription());
  CHECK_GE(this->length(),
           ObjectBoilerplateDescription::kDescriptionStartIndex);
  this->FixedArrayVerify(isolate);
}

1427
USE_TORQUE_VERIFIER(AsmWasmData)
1428

1429 1430
void WasmInstanceObject::WasmInstanceObjectVerify(Isolate* isolate) {
  JSObjectVerify(isolate);
1431 1432 1433 1434 1435
  CHECK(IsWasmInstanceObject());

  // Just generically check all tagged fields. Don't check the untagged fields,
  // as some of them might still contain the "undefined" value if the
  // WasmInstanceObject is not fully set up yet.
1436
  for (int offset = kHeaderSize; offset < kEndOfStrongFieldsOffset;
1437
       offset += kTaggedSize) {
1438
    VerifyObjectField(isolate, offset);
1439 1440 1441
  }
}

1442 1443
void WasmExportedFunctionData::WasmExportedFunctionDataVerify(
    Isolate* isolate) {
1444
  TorqueGeneratedClassVerifiers::WasmExportedFunctionDataVerify(*this, isolate);
1445 1446
  CHECK(wrapper_code().kind() == Code::JS_TO_WASM_FUNCTION ||
        wrapper_code().kind() == Code::C_WASM_ENTRY);
1447 1448
}

1449
USE_TORQUE_VERIFIER(WasmModuleObject)
1450

1451
USE_TORQUE_VERIFIER(WasmTableObject)
1452

1453
USE_TORQUE_VERIFIER(WasmMemoryObject)
1454

1455
USE_TORQUE_VERIFIER(WasmGlobalObject)
1456

1457
USE_TORQUE_VERIFIER(WasmExceptionObject)
1458

1459
void DataHandler::DataHandlerVerify(Isolate* isolate) {
1460
  TorqueGeneratedClassVerifiers::DataHandlerVerify(*this, isolate);
1461 1462
  CHECK_IMPLIES(!smi_handler().IsSmi(),
                smi_handler().IsCode() && IsStoreHandler());
1463 1464
  int data_count = data_field_count();
  if (data_count >= 1) {
1465
    VerifyMaybeObjectField(isolate, kData1Offset);
1466 1467
  }
  if (data_count >= 2) {
1468
    VerifyMaybeObjectField(isolate, kData2Offset);
1469
  }
1470
  if (data_count >= 3) {
1471
    VerifyMaybeObjectField(isolate, kData3Offset);
1472
  }
1473 1474
}

1475 1476
void LoadHandler::LoadHandlerVerify(Isolate* isolate) {
  DataHandler::DataHandlerVerify(isolate);
1477 1478 1479
  // TODO(ishell): check handler integrity
}

1480 1481
void StoreHandler::StoreHandlerVerify(Isolate* isolate) {
  DataHandler::DataHandlerVerify(isolate);
1482 1483 1484
  // TODO(ishell): check handler integrity
}

1485
void CallHandlerInfo::CallHandlerInfoVerify(Isolate* isolate) {
1486
  TorqueGeneratedClassVerifiers::CallHandlerInfoVerify(*this, isolate);
1487 1488 1489 1490 1491
  CHECK(map() == ReadOnlyRoots(isolate).side_effect_call_handler_info_map() ||
        map() ==
            ReadOnlyRoots(isolate).side_effect_free_call_handler_info_map() ||
        map() == ReadOnlyRoots(isolate)
                     .next_call_side_effect_free_call_handler_info_map());
1492
}
1493

1494
USE_TORQUE_VERIFIER(WasmCapiFunctionData)
1495

1496 1497
USE_TORQUE_VERIFIER(WasmJSFunctionData)

1498 1499
USE_TORQUE_VERIFIER(WasmIndirectFunctionTable)

1500
void AllocationSite::AllocationSiteVerify(Isolate* isolate) {
1501
  CHECK(IsAllocationSite());
1502 1503 1504
  CHECK(dependent_code().IsDependentCode());
  CHECK(transition_info_or_boilerplate().IsSmi() ||
        transition_info_or_boilerplate().IsJSObject());
1505
  CHECK(nested_site().IsAllocationSite() || nested_site() == Smi::zero());
1506 1507
}

1508
void Script::ScriptVerify(Isolate* isolate) {
1509
  TorqueGeneratedClassVerifiers::ScriptVerify(*this, isolate);
1510 1511
  for (int i = 0; i < shared_function_infos().length(); ++i) {
    MaybeObject maybe_object = shared_function_infos().Get(i);
1512
    HeapObject heap_object;
1513 1514
    CHECK(maybe_object->IsWeak() || maybe_object->IsCleared() ||
          (maybe_object->GetHeapObjectIfStrong(&heap_object) &&
1515
           heap_object.IsUndefined(isolate)));
1516
  }
1517 1518
}

1519
void NormalizedMapCache::NormalizedMapCacheVerify(Isolate* isolate) {
1520
  WeakFixedArray::cast(*this).WeakFixedArrayVerify(isolate);
1521 1522
  if (FLAG_enable_slow_asserts) {
    for (int i = 0; i < length(); i++) {
1523
      MaybeObject e = WeakFixedArray::Get(i);
1524
      HeapObject heap_object;
1525
      if (e->GetHeapObjectIfWeak(&heap_object)) {
1526
        Map::cast(heap_object).DictionaryMapVerify(isolate);
1527
      } else {
1528
        CHECK(e->IsCleared() || (e->GetHeapObjectIfStrong(&heap_object) &&
1529
                                 heap_object.IsUndefined(isolate)));
1530 1531 1532 1533 1534
      }
    }
  }
}

1535
void PreparseData::PreparseDataVerify(Isolate* isolate) {
1536
  TorqueGeneratedClassVerifiers::PreparseDataVerify(*this, isolate);
1537 1538
  CHECK_LE(0, data_length());
  CHECK_LE(0, children_length());
1539

1540 1541
  for (int i = 0; i < children_length(); ++i) {
    Object child = get_child_raw(i);
1542
    CHECK(child.IsNull() || child.IsPreparseData());
1543
    VerifyPointer(isolate, child);
1544
  }
1545 1546
}

1547
USE_TORQUE_VERIFIER(InterpreterData)
1548

1549
#endif  // VERIFY_HEAP
1550

1551
#ifdef DEBUG
1552

1553 1554
void JSObject::IncrementSpillStatistics(Isolate* isolate,
                                        SpillInformation* info) {
1555 1556 1557 1558
  info->number_of_objects_++;
  // Named properties
  if (HasFastProperties()) {
    info->number_of_objects_with_fast_properties_++;
1559 1560
    info->number_of_fast_used_fields_ += map().NextFreePropertyIndex();
    info->number_of_fast_unused_fields_ += map().UnusedPropertyFields();
1561
  } else if (IsJSGlobalObject()) {
1562 1563
    GlobalDictionary dict = JSGlobalObject::cast(*this).global_dictionary();
    info->number_of_slow_used_properties_ += dict.NumberOfElements();
1564
    info->number_of_slow_unused_properties_ +=
1565
        dict.Capacity() - dict.NumberOfElements();
1566
  } else {
1567
    NameDictionary dict = property_dictionary();
1568
    info->number_of_slow_used_properties_ += dict.NumberOfElements();
1569
    info->number_of_slow_unused_properties_ +=
1570
        dict.Capacity() - dict.NumberOfElements();
1571 1572
  }
  // Indexed properties
1573
  switch (GetElementsKind()) {
1574 1575 1576 1577 1578
    case HOLEY_SMI_ELEMENTS:
    case PACKED_SMI_ELEMENTS:
    case HOLEY_DOUBLE_ELEMENTS:
    case PACKED_DOUBLE_ELEMENTS:
    case HOLEY_ELEMENTS:
1579 1580
    case HOLEY_FROZEN_ELEMENTS:
    case HOLEY_SEALED_ELEMENTS:
1581
    case HOLEY_NONEXTENSIBLE_ELEMENTS:
1582
    case PACKED_ELEMENTS:
1583 1584
    case PACKED_FROZEN_ELEMENTS:
    case PACKED_SEALED_ELEMENTS:
1585
    case PACKED_NONEXTENSIBLE_ELEMENTS:
1586
    case FAST_STRING_WRAPPER_ELEMENTS: {
1587 1588
      info->number_of_objects_with_fast_elements_++;
      int holes = 0;
1589
      FixedArray e = FixedArray::cast(elements());
1590
      int len = e.length();
1591
      for (int i = 0; i < len; i++) {
1592
        if (e.get(i).IsTheHole(isolate)) holes++;
1593
      }
1594
      info->number_of_fast_used_elements_ += len - holes;
1595 1596
      info->number_of_fast_unused_elements_ += holes;
      break;
1597
    }
1598

1599
#define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) case TYPE##_ELEMENTS:
1600

1601
      TYPED_ARRAYS(TYPED_ARRAY_CASE)
1602
#undef TYPED_ARRAY_CASE
1603 1604
      {
        info->number_of_objects_with_fast_elements_++;
1605
        FixedArrayBase e = FixedArrayBase::cast(elements());
1606
        info->number_of_fast_used_elements_ += e.length();
1607 1608
        break;
      }
1609 1610
    case DICTIONARY_ELEMENTS:
    case SLOW_STRING_WRAPPER_ELEMENTS: {
1611
      NumberDictionary dict = element_dictionary();
1612
      info->number_of_slow_used_elements_ += dict.NumberOfElements();
1613
      info->number_of_slow_unused_elements_ +=
1614
          dict.Capacity() - dict.NumberOfElements();
1615 1616
      break;
    }
1617 1618
    case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
    case SLOW_SLOPPY_ARGUMENTS_ELEMENTS:
1619
    case NO_ELEMENTS:
1620
      break;
1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641
  }
}

void JSObject::SpillInformation::Clear() {
  number_of_objects_ = 0;
  number_of_objects_with_fast_properties_ = 0;
  number_of_objects_with_fast_elements_ = 0;
  number_of_fast_used_fields_ = 0;
  number_of_fast_unused_fields_ = 0;
  number_of_slow_used_properties_ = 0;
  number_of_slow_unused_properties_ = 0;
  number_of_fast_used_elements_ = 0;
  number_of_fast_unused_elements_ = 0;
  number_of_slow_used_elements_ = 0;
  number_of_slow_unused_elements_ = 0;
}

void JSObject::SpillInformation::Print() {
  PrintF("\n  JSObject Spill Statistics (#%d):\n", number_of_objects_);

  PrintF("    - fast properties (#%d): %d (used) %d (unused)\n",
1642 1643
         number_of_objects_with_fast_properties_, number_of_fast_used_fields_,
         number_of_fast_unused_fields_);
1644 1645 1646 1647 1648 1649

  PrintF("    - slow properties (#%d): %d (used) %d (unused)\n",
         number_of_objects_ - number_of_objects_with_fast_properties_,
         number_of_slow_used_properties_, number_of_slow_unused_properties_);

  PrintF("    - fast elements (#%d): %d (used) %d (unused)\n",
1650 1651
         number_of_objects_with_fast_elements_, number_of_fast_used_elements_,
         number_of_fast_unused_elements_);
1652 1653 1654 1655 1656 1657 1658 1659

  PrintF("    - slow elements (#%d): %d (used) %d (unused)\n",
         number_of_objects_ - number_of_objects_with_fast_elements_,
         number_of_slow_used_elements_, number_of_slow_unused_elements_);

  PrintF("\n");
}

1660
bool DescriptorArray::IsSortedNoDuplicates() {
1661
  Name current_key;
1662
  uint32_t current = 0;
1663
  for (int i = 0; i < number_of_descriptors(); i++) {
1664
    Name key = GetSortedKey(i);
1665
    if (key == current_key) {
1666
      Print();
1667 1668 1669
      return false;
    }
    current_key = key;
1670
    uint32_t hash = GetSortedKey(i).Hash();
1671
    if (hash < current) {
1672
      Print();
1673 1674 1675 1676 1677 1678 1679
      return false;
    }
    current = hash;
  }
  return true;
}

1680
bool TransitionArray::IsSortedNoDuplicates() {
1681
  Name prev_key;
1682
  PropertyKind prev_kind = kData;
1683 1684
  PropertyAttributes prev_attributes = NONE;
  uint32_t prev_hash = 0;
1685

1686
  for (int i = 0; i < number_of_transitions(); i++) {
1687
    Name key = GetSortedKey(i);
1688
    uint32_t hash = key.Hash();
1689
    PropertyKind kind = kData;
1690
    PropertyAttributes attributes = NONE;
1691
    if (!TransitionsAccessor::IsSpecialTransition(key.GetReadOnlyRoots(),
1692
                                                  key)) {
1693
      Map target = GetTarget(i);
1694
      PropertyDetails details =
1695
          TransitionsAccessor::GetTargetDetails(key, target);
1696
      kind = details.kind();
1697 1698 1699
      attributes = details.attributes();
    } else {
      // Duplicate entries are not allowed for non-property transitions.
1700
      DCHECK_NE(prev_key, key);
1701
    }
1702

1703 1704
    int cmp = CompareKeys(prev_key, prev_hash, prev_kind, prev_attributes, key,
                          hash, kind, attributes);
1705
    if (cmp >= 0) {
1706
      Print();
1707 1708
      return false;
    }
1709 1710 1711
    prev_key = key;
    prev_hash = hash;
    prev_attributes = attributes;
1712
    prev_kind = kind;
1713 1714 1715 1716
  }
  return true;
}

1717
bool TransitionsAccessor::IsSortedNoDuplicates() {
1718
  // Simple and non-existent transitions are always sorted.
1719
  if (encoding() != kFullTransitionArray) return true;
1720
  return transitions().IsSortedNoDuplicates();
1721 1722
}

1723
static bool CheckOneBackPointer(Map current_map, Object target) {
1724
  return !target.IsMap() || Map::cast(target).GetBackPointer() == current_map;
1725 1726
}

1727 1728 1729
bool TransitionsAccessor::IsConsistentWithBackPointers() {
  int num_transitions = NumberOfTransitions();
  for (int i = 0; i < num_transitions; i++) {
1730
    Map target = GetTarget(i);
1731
    if (!CheckOneBackPointer(map_, target)) return false;
1732 1733 1734 1735
  }
  return true;
}

1736 1737
#undef USE_TORQUE_VERIFIER

1738 1739
#endif  // DEBUG

1740 1741
}  // namespace internal
}  // namespace v8