Add more JSArray verification for --verify-heap

BUG= Review-Url: https://codereview.chromium.org/2431133003 Cr-Commit-Position: refs/heads/master@{#40969}

Add more JSArray verification for --verify-heap
BUG= Review-Url: https://codereview.chromium.org/2431133003 Cr-Commit-Position: refs/heads/master@{#40969}
0909e5cc · cbruni · Commit bot · 1c1edda7 · 0909e5cc
Commit 0909e5cc authored Nov 14, 2016 by cbruni Committed by Commit bot Nov 14, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 3 deletions

objects-debug.cc src/objects-debug.cc +20 -3

No files found.
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -772,9 +772,26 @@ void JSArray::JSArrayVerify() {
  CHECK(length()->IsNumber() || length()->IsUndefined(isolate));
  // If a GC was caused while constructing this array, the elements
  // pointer may point to a one pointer filler map.
-  if (ElementsAreSafeToExamine()) {
-    CHECK(elements()->IsUndefined(isolate) || elements()->IsFixedArray() ||
-          elements()->IsFixedDoubleArray());
+  if (!ElementsAreSafeToExamine()) return;
+  if (elements()->IsUndefined(isolate)) return;
+  CHECK(elements()->IsFixedArray() || elements()->IsFixedDoubleArray());
+  if (!length()->IsNumber()) return;
+  // Verify that the length and the elements backing store are in sync.
+  if (length()->IsSmi() && HasFastElements()) {
+    int size = Smi::cast(length())->value();
+    // Holey / Packed backing stores might have slack or might have not been
+    // properly initialized yet.
+    CHECK(size <= elements()->length() ||
+          elements() == isolate->heap()->empty_fixed_array());
+  } else {
+    CHECK(HasDictionaryElements());
+    uint32_t size;
+    CHECK(length()->ToArrayLength(&size));
+    if (size != 0) {
+      SeededNumberDictionary* dict = SeededNumberDictionary::cast(elements());
+      // The dictionary can never have more elements than the array length.
+      CHECK(static_cast<uint32_t>(dict->NumberOfElements()) <= size);
+    }
  }
 }