[heap] Fix check in AdvancePage

Failing to do the right check in AdvancePage results in a crash in a CHECK later in EnsureCurrentCapacity. BUG=chromium:620750,chromium:622115 LOG=N R=jochen@chromium.org Review-Url: https://codereview.chromium.org/2090013002 Cr-Commit-Position: refs/heads/master@{#37171}

[heap] Fix check in AdvancePage
Failing to do the right check in AdvancePage results in a crash in a CHECK later in EnsureCurrentCapacity. BUG=chromium:620750,chromium:622115 LOG=N R=jochen@chromium.org Review-Url: https://codereview.chromium.org/2090013002 Cr-Commit-Position: refs/heads/master@{#37171}
21b55c4a · mlippautz · Commit bot · 67937285 · 21b55c4a · 21b55c4a
Commit 21b55c4a authored Jun 22, 2016 by mlippautz Committed by Commit bot Jun 22, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 1 deletion

spaces.h src/heap/spaces.h +5 -1

regress-620750.js test/mjsunit/regress/regress-620750.js +14 -0

No files found.
--- a/src/heap/spaces.h
+++ b/src/heap/spaces.h
@@ -2459,7 +2459,11 @@ class SemiSpace : public Space {

  bool AdvancePage() {
    Page* next_page = current_page_->next_page();
-    if (next_page == anchor() || pages_used_ == max_pages()) {
+    // We cannot expand if we reached the maximum number of pages already. Note
+    // that we need to account for the next page already for this check as we
+    // could potentially fill the whole page after advancing.
+    const bool reached_max_pages = (pages_used_ + 1) == max_pages();
+    if (next_page == anchor() || reached_max_pages) {
      return false;
    }
    current_page_ = next_page;

--- a/test/mjsunit/regress/regress-620750.js
+++ b/test/mjsunit/regress/regress-620750.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --es-staging
+
+function push_a_lot(arr) {
+  for (var i = 0; i < 2e4; i++) {
+    arr.push(i);
+  }
+  return arr;
+}
+
+__v_13 = push_a_lot([]);