Commit 31fab144 authored by Igor Sheludko's avatar Igor Sheludko Committed by Commit Bot

Ensure root maps do not have slack in descriptor array

Drive-by-fix: enable heap verification in mksnapshot.

Bug: chromium:1025468
Change-Id: Ieb52d5139fa37df4ff0d8e8d46c3e0e6d14c2c8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924363Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65102}
parent 28fb79c8
......@@ -1318,6 +1318,10 @@ template("run_mksnapshot") {
args += [ "--no-enable-slow-asserts" ]
}
}
if (v8_enable_verify_heap) {
args += [ "--verify-heap" ]
}
}
}
......
......@@ -441,8 +441,20 @@ void Map::MapVerify(Isolate* isolate) {
if (IsContextMap()) {
CHECK(native_context().IsNativeContext());
} else {
CHECK_IMPLIES(!GetBackPointer().IsUndefined(isolate),
!Map::cast(GetBackPointer()).is_stable());
if (GetBackPointer().IsUndefined(isolate)) {
// Root maps must keep the ownership and there must be no descriptors
// in the descriptors array that do not belong to the map.
CHECK(owns_descriptors() || is_prototype_map());
CHECK_EQ(NumberOfOwnDescriptors(),
instance_descriptors().number_of_descriptors());
if (!is_prototype_map()) {
// There must be no slack in root maps' descriptors array.
CHECK_EQ(0, instance_descriptors().number_of_slack_descriptors());
}
} else {
// If there is a parent map it must be non-stable.
CHECK(!Map::cast(GetBackPointer()).is_stable());
}
}
SLOW_DCHECK(instance_descriptors().IsSortedNoDuplicates());
DisallowHeapAllocation no_gc;
......
......@@ -4059,6 +4059,7 @@ Handle<Map> Factory::CreateSloppyFunctionMap(
map->AppendDescriptor(isolate(), &d);
}
DCHECK_EQ(inobject_properties_count, field_index);
DCHECK_EQ(0, map->instance_descriptors().number_of_slack_descriptors());
LOG(isolate(), MapDetails(*map));
return map;
}
......@@ -4069,10 +4070,15 @@ Handle<Map> Factory::CreateStrictFunctionMap(
int header_size = has_prototype ? JSFunction::kSizeWithPrototype
: JSFunction::kSizeWithoutPrototype;
int inobject_properties_count = 0;
if (IsFunctionModeWithName(function_mode)) ++inobject_properties_count;
// length and prototype accessors or just length accessor.
int descriptors_count = IsFunctionModeWithPrototype(function_mode) ? 2 : 1;
if (IsFunctionModeWithName(function_mode)) {
++inobject_properties_count; // name property.
} else {
++descriptors_count; // name accessor.
}
if (IsFunctionModeWithHomeObject(function_mode)) ++inobject_properties_count;
int descriptors_count = (IsFunctionModeWithPrototype(function_mode) ? 3 : 2) +
inobject_properties_count;
descriptors_count += inobject_properties_count;
Handle<Map> map = NewMap(
JS_FUNCTION_TYPE, header_size + inobject_properties_count * kTaggedSize,
......@@ -4136,6 +4142,7 @@ Handle<Map> Factory::CreateStrictFunctionMap(
map->AppendDescriptor(isolate(), &d);
}
DCHECK_EQ(inobject_properties_count, field_index);
DCHECK_EQ(0, map->instance_descriptors().number_of_slack_descriptors());
LOG(isolate(), MapDetails(*map));
return map;
}
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
class H {
['h']() {}
}
let h = H.prototype.h;
h[1024] = {};
h["XXX"] = {};
h[-1] = {};
}
f();
f();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment