Commit 55e924c5 authored by verwaest@chromium.org's avatar verwaest@chromium.org

Fix CNLT regression.

This happens when a map A with no descriptors in fast_holey_elements
mode first gets some properties, making it share descriptor arrays with
a map B to which it transitions. Then map A transitions elements kind to
dictionary_elements in map C. C stores the empty_descriptor_array in its
own transition array. When adding a property to C, C transitions to D
and shares the descriptors. If D dies, a CNLT clears the transition
array of C, making the descriptor array of A (and thus also of B) shine
through. If a property is now added to an object in state C, it'll inherit
all the properties of A (and B). If those properties had high field indices,
we do not have a large enough backing store for the single newly added
property, and we'll write out of bounds.

BUG=chromium:151749

Review URL: https://chromiumcodereview.appspot.com/11017054

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12687 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 8b299a5b
......@@ -562,7 +562,12 @@ void Map::MapPrint(FILE* out) {
if (is_access_check_needed()) {
PrintF(out, " - access_check_needed\n");
}
PrintF(out, " - instance descriptors: ");
PrintF(out, " - back pointer: ");
GetBackPointer()->ShortPrint(out);
PrintF(out, "\n - instance descriptors %i #%i %i: ",
owns_descriptors(),
NumberOfOwnDescriptors(),
StoresOwnDescriptors());
instance_descriptors()->ShortPrint(out);
if (HasTransitionArray()) {
PrintF(out, "\n - transitions: ");
......
......@@ -5145,7 +5145,7 @@ MaybeObject* Map::CopyAsElementsKind(ElementsKind kind, TransitionFlag flag) {
ASSERT(new_map->NumberOfOwnDescriptors() == NumberOfOwnDescriptors());
new_map->set_elements_kind(kind);
if (flag == INSERT_TRANSITION) {
if (flag == INSERT_TRANSITION && !HasElementsTransition()) {
// Map::Copy does not store the descriptor array in case it is empty, since
// it does not insert a back pointer; implicitly indicating that its
// descriptor array is empty. Since in this case we do want to insert a back
......@@ -7564,16 +7564,6 @@ void Map::ClearNonLiveTransitions(Heap* heap) {
set_owns_descriptors(true);
}
// If the final transition array does not contain any live transitions, remove
// the transition array from the map.
if (transition_index == 0 &&
!t->HasElementsTransition() &&
!t->HasPrototypeTransitions() &&
number_of_own_descriptors == 0) {
ASSERT(owns_descriptors());
return ClearTransitions(heap);
}
int trim = t->number_of_transitions() - transition_index;
if (trim > 0) {
RightTrimFixedArray<FROM_GC>(heap, t, t->IsSimpleTransition()
......
// Copyright 2012 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --expose-gc
var a = JSON.parse('{"b":1,"c":2,"d":3,"e":4}');
var b = JSON.parse('{"12040200":1, "a":2, "b":2}');
var c = JSON.parse('{"24050300":1}');
b = null;
gc();
gc();
c.a1 = 2;
c.a2 = 2;
c.a3 = 2;
c.a4 = 2;
c.a5 = 2;
c.a6 = 2;
c.a7 = 2;
c.a8 = 2;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment