Fix assert by reordering the initialization of the arguments boilerplate.

If a GC happened during initialization (when allocating the elements array)
of the non_strict_arguments_boilerplate, heap verification would fail with the following assert:

ASSERT_EQ((map()->has_fast_elements() || map()->has_fast_smi_only_elements()),
            (elements()->map() == GetHeap()->fixed_array_map() ||
             elements()->map() == GetHeap()->fixed_cow_array_map()));

This was not harmful since the boilerplate was setup 
correctly immediatly afterwards.


Simplified the setup code by removing a call to GetElementsTransitionMap. It always return the same map as 
the input object in this case and is therefore unnecessary.


Added more assertions to verify well-formed non-strict
arguments backing store.

BUG=v8:1520
TEST=no more flaky tests with failing this assert.
 
Review URL: http://codereview.chromium.org/8336021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9678 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent b15cfedf
...@@ -1084,11 +1084,6 @@ void Genesis::InitializeGlobal(Handle<GlobalObject> inner_global, ...@@ -1084,11 +1084,6 @@ void Genesis::InitializeGlobal(Handle<GlobalObject> inner_global,
} }
{ // --- aliased_arguments_boilerplate_ { // --- aliased_arguments_boilerplate_
Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
new_map->set_pre_allocated_property_fields(2);
Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
// Set up a well-formed parameter map to make assertions happy. // Set up a well-formed parameter map to make assertions happy.
Handle<FixedArray> elements = factory->NewFixedArray(2); Handle<FixedArray> elements = factory->NewFixedArray(2);
elements->set_map(heap->non_strict_arguments_elements_map()); elements->set_map(heap->non_strict_arguments_elements_map());
...@@ -1097,12 +1092,16 @@ void Genesis::InitializeGlobal(Handle<GlobalObject> inner_global, ...@@ -1097,12 +1092,16 @@ void Genesis::InitializeGlobal(Handle<GlobalObject> inner_global,
elements->set(0, *array); elements->set(0, *array);
array = factory->NewFixedArray(0); array = factory->NewFixedArray(0);
elements->set(1, *array); elements->set(1, *array);
Handle<Map> non_strict_arguments_elements_map =
factory->GetElementsTransitionMap(result, Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
NON_STRICT_ARGUMENTS_ELEMENTS); Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
result->set_map(*non_strict_arguments_elements_map); new_map->set_pre_allocated_property_fields(2);
ASSERT(result->HasNonStrictArgumentsElements()); Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
// Set elements kind after allocating the object because
// NewJSObjectFromMap assumes a fast elements map.
new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
result->set_elements(*elements); result->set_elements(*elements);
ASSERT(result->HasNonStrictArgumentsElements());
global_context()->set_aliased_arguments_boilerplate(*result); global_context()->set_aliased_arguments_boilerplate(*result);
} }
......
...@@ -263,6 +263,12 @@ void ExternalDoubleArray::ExternalDoubleArrayVerify() { ...@@ -263,6 +263,12 @@ void ExternalDoubleArray::ExternalDoubleArrayVerify() {
void JSObject::JSObjectVerify() { void JSObject::JSObjectVerify() {
VerifyHeapPointer(properties()); VerifyHeapPointer(properties());
VerifyHeapPointer(elements()); VerifyHeapPointer(elements());
if (GetElementsKind() == NON_STRICT_ARGUMENTS_ELEMENTS) {
ASSERT(this->elements()->IsFixedArray());
ASSERT(this->elements()->length() >= 2);
}
if (HasFastProperties()) { if (HasFastProperties()) {
CHECK_EQ(map()->unused_property_fields(), CHECK_EQ(map()->unused_property_fields(),
(map()->inobject_properties() + properties()->length() - (map()->inobject_properties() + properties()->length() -
......
...@@ -4088,14 +4088,16 @@ ElementsKind JSObject::GetElementsKind() { ...@@ -4088,14 +4088,16 @@ ElementsKind JSObject::GetElementsKind() {
reinterpret_cast<FixedArrayBase*>(READ_FIELD(this, kElementsOffset)); reinterpret_cast<FixedArrayBase*>(READ_FIELD(this, kElementsOffset));
Map* map = fixed_array->map(); Map* map = fixed_array->map();
ASSERT(((kind == FAST_ELEMENTS || kind == FAST_SMI_ONLY_ELEMENTS) && ASSERT(((kind == FAST_ELEMENTS || kind == FAST_SMI_ONLY_ELEMENTS) &&
(map == GetHeap()->fixed_array_map() || (map == GetHeap()->fixed_array_map() ||
map == GetHeap()->fixed_cow_array_map())) || map == GetHeap()->fixed_cow_array_map())) ||
(kind == FAST_DOUBLE_ELEMENTS && (kind == FAST_DOUBLE_ELEMENTS &&
fixed_array->IsFixedDoubleArray()) || fixed_array->IsFixedDoubleArray()) ||
(kind == DICTIONARY_ELEMENTS && (kind == DICTIONARY_ELEMENTS &&
fixed_array->IsFixedArray() && fixed_array->IsFixedArray() &&
fixed_array->IsDictionary()) || fixed_array->IsDictionary()) ||
(kind > DICTIONARY_ELEMENTS)); (kind > DICTIONARY_ELEMENTS));
ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
(elements()->IsFixedArray() && elements()->length() >= 2));
#endif #endif
return kind; return kind;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment