Commit 18a10e34 authored by jarin@chromium.org's avatar jarin@chromium.org

Fix pointer iteration for maps.

BUG=
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/475463003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23114 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent efde48fb
......@@ -486,10 +486,11 @@ void StoreBuffer::IteratePointersToNewSpace(ObjectSlotCallback slot_callback,
heap_object = iterator.Next()) {
// We skip free space objects.
if (!heap_object->IsFiller()) {
DCHECK(heap_object->IsMap());
FindPointersToNewSpaceInRegion(
heap_object->address() + HeapObject::kHeaderSize,
heap_object->address() + heap_object->Size(), slot_callback,
clear_maps);
heap_object->address() + Map::kPointerFieldsBeginOffset,
heap_object->address() + Map::kPointerFieldsEndOffset,
slot_callback, clear_maps);
}
}
} else {
......
......@@ -4475,6 +4475,51 @@ TEST(Regress388880) {
}
TEST(RegressStoreBufferMapUpdate) {
CcTest::InitializeVM();
v8::HandleScope scope(CcTest::isolate());
Isolate* isolate = CcTest::i_isolate();
Factory* factory = isolate->factory();
Heap* heap = isolate->heap();
// This test checks that we do not treat instance size field of the map
// as a heap pointer when processing the store buffer.
Handle<Map> map1 = Map::Create(isolate->object_function(), 1);
// Allocate a throw-away object.
factory->NewFixedArray(1, NOT_TENURED);
// Allocate a new-space object that will be moved by the GC (because
// the throw-away object will die).
Handle<FixedArray> object_to_move = factory->NewFixedArray(1, NOT_TENURED);
// Record the address before the GC.
Object* object_to_move_address = *object_to_move;
// Smash the new space pointer to the moving object into the instance size
// field of the map. The idea is to trick the GC into updating this pointer
// when the object moves. This would be wrong because instance size should
// not be treated as a heap pointer.
*(reinterpret_cast<Object**>(map1->address() + Map::kInstanceSizeOffset)) =
object_to_move_address;
// Make sure we scan the map's page on scavenge.
Page* page = Page::FromAddress(map1->address());
page->set_scan_on_scavenge(true);
heap->CollectGarbage(NEW_SPACE);
// Check the object has really moved.
CHECK(*object_to_move != object_to_move_address);
// Now check that we have not updated the instance size field of the map.
CHECK_EQ(object_to_move_address,
*(reinterpret_cast<Object**>(map1->address() +
Map::kInstanceSizeOffset)));
}
#ifdef DEBUG
TEST(PathTracer) {
CcTest::InitializeVM();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment