Revert of [heap] Remove retry space from AllocateRaw. (patchset #3 id:40001 of...

Revert of [heap] Remove retry space from AllocateRaw. (patchset #3 id:40001 of https://codereview.chromium.org/1370123002/ ) Reason for revert: Breaks arm64 nosnap simulator (bogus cctest?): https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug%20-%201/builds/2934/steps/Bisect%202786ceec.Retry/logs/IncrementalWriteBarri.. Original issue's description: > [heap] Remove retry space from AllocateRaw. > > BUG= > > Committed: https://crrev.com/2786ceec1eb491494d24d29a59eefbe3b6704be2 > Cr-Commit-Position: refs/heads/master@{#30984} TBR=mstarzinger@chromium.org,hpayer@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= Review URL: https://codereview.chromium.org/1379493003 Cr-Commit-Position: refs/heads/master@{#30991}

Revert of [heap] Remove retry space from AllocateRaw. (patchset #3 id:40001 of...
Revert of [heap] Remove retry space from AllocateRaw. (patchset #3 id:40001 of https://codereview.chromium.org/1370123002/ ) Reason for revert: Breaks arm64 nosnap simulator (bogus cctest?): https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug%20-%201/builds/2934/steps/Bisect%202786ceec.Retry/logs/IncrementalWriteBarri.. Original issue's description: > [heap] Remove retry space from AllocateRaw. > > BUG= > > Committed: https://crrev.com/2786ceec1eb491494d24d29a59eefbe3b6704be2 > Cr-Commit-Position: refs/heads/master@{#30984} TBR=mstarzinger@chromium.org,hpayer@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= Review URL: https://codereview.chromium.org/1379493003 Cr-Commit-Position: refs/heads/master@{#30991}
6529971a · bmeurer · Commit bot · d5a9dd65 · 6529971a · 6529971a
Commit 6529971a authored Sep 29, 2015 by bmeurer Committed by Commit bot Sep 29, 2015
7 changed files
--- a/src/heap/heap-inl.h
+++ b/src/heap/heap-inl.h
@@ -126,7 +126,7 @@ AllocationResult Heap::AllocateOneByteInternalizedString(
  // Allocate string.
  HeapObject* result = nullptr;
  {
-    AllocationResult allocation = AllocateRaw(size, OLD_SPACE);
+    AllocationResult allocation = AllocateRaw(size, OLD_SPACE, OLD_SPACE);
    if (!allocation.To(&result)) return allocation;
  }

@@ -157,7 +157,7 @@ AllocationResult Heap::AllocateTwoByteInternalizedString(Vector<const uc16> str,
  // Allocate string.
  HeapObject* result = nullptr;
  {
-    AllocationResult allocation = AllocateRaw(size, OLD_SPACE);
+    AllocationResult allocation = AllocateRaw(size, OLD_SPACE, OLD_SPACE);
    if (!allocation.To(&result)) return allocation;
  }

@@ -189,6 +189,7 @@ AllocationResult Heap::CopyFixedDoubleArray(FixedDoubleArray* src) {


 AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationSpace space,
+                                   AllocationSpace retry_space,
                                   AllocationAlignment alignment) {
  DCHECK(AllowHandleAllocation::IsAllowed());
  DCHECK(AllowHeapAllocation::IsAllowed());
@@ -206,14 +207,19 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationSpace space,
  HeapObject* object = nullptr;
  AllocationResult allocation;
  if (NEW_SPACE == space) {
-    if (large_object) {
-      space = LO_SPACE;
-    } else {
+    if (!large_object) {
      allocation = new_space_.AllocateRaw(size_in_bytes, alignment);
-      if (allocation.To(&object)) {
-        OnAllocationEvent(object, size_in_bytes);
+      if (always_allocate() && allocation.IsRetry() &&
+          retry_space != NEW_SPACE) {
+        space = retry_space;
+      } else {
+        if (allocation.To(&object)) {
+          OnAllocationEvent(object, size_in_bytes);
+        }
+        return allocation;
      }
-      return allocation;
+    } else {
+      space = LO_SPACE;
    }
  }


--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
--- a/src/heap/heap.h
+++ b/src/heap/heap.h
@@ -1967,7 +1967,7 @@ class Heap {
  // performed by the runtime and should not be bypassed (to extend this to
  // inlined allocations, use the Heap::DisableInlineAllocation() support).
  MUST_USE_RESULT inline AllocationResult AllocateRaw(
-      int size_in_bytes, AllocationSpace space,
+      int size_in_bytes, AllocationSpace space, AllocationSpace retry_space,
      AllocationAlignment aligment = kWordAligned);

  // Allocates a heap object based on the map.

--- a/test/cctest/test-alloc.cc
+++ b/test/cctest/test-alloc.cc
@@ -40,6 +40,7 @@ AllocationResult v8::internal::HeapTester::AllocateAfterFailures() {
  Heap* heap = CcTest::heap();

  // New space.
+  SimulateFullSpace(heap->new_space());
  heap->AllocateByteArray(100).ToObjectChecked();
  heap->AllocateFixedArray(100, NOT_TENURED).ToObjectChecked();


--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -1181,6 +1181,85 @@ TEST(Iteration) {
 }


+static int LenFromSize(int size) {
+  return (size - FixedArray::kHeaderSize) / kPointerSize;
+}
+
+
+HEAP_TEST(Regression39128) {
+  // Test case for crbug.com/39128.
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Heap* heap = CcTest::heap();
+
+  // Increase the chance of 'bump-the-pointer' allocation in old space.
+  heap->CollectAllGarbage();
+
+  v8::HandleScope scope(CcTest::isolate());
+
+  // The plan: create JSObject which references objects in new space.
+  // Then clone this object (forcing it to go into old space) and check
+  // that region dirty marks are updated correctly.
+
+  // Step 1: prepare a map for the object.  We add 1 inobject property to it.
+  // Create a map with single inobject property.
+  Handle<Map> my_map = Map::Create(CcTest::i_isolate(), 1);
+  int n_properties = my_map->GetInObjectProperties();
+  CHECK_GT(n_properties, 0);
+
+  int object_size = my_map->instance_size();
+
+  // Step 2: allocate a lot of objects so to almost fill new space: we need
+  // just enough room to allocate JSObject and thus fill the newspace.
+
+  int allocation_amount = Min(FixedArray::kMaxSize,
+                              Page::kMaxRegularHeapObjectSize + kPointerSize);
+  int allocation_len = LenFromSize(allocation_amount);
+  NewSpace* new_space = heap->new_space();
+  DisableInlineAllocationSteps(new_space);
+  Address* top_addr = new_space->allocation_top_address();
+  Address* limit_addr = new_space->allocation_limit_address();
+  while ((*limit_addr - *top_addr) > allocation_amount) {
+    CHECK(!heap->always_allocate());
+    Object* array = heap->AllocateFixedArray(allocation_len).ToObjectChecked();
+    CHECK(new_space->Contains(array));
+  }
+
+  // Step 3: now allocate fixed array and JSObject to fill the whole new space.
+  int to_fill = static_cast<int>(*limit_addr - *top_addr - object_size);
+  int fixed_array_len = LenFromSize(to_fill);
+  CHECK(fixed_array_len < FixedArray::kMaxLength);
+
+  CHECK(!heap->always_allocate());
+  Object* array = heap->AllocateFixedArray(fixed_array_len).ToObjectChecked();
+  CHECK(new_space->Contains(array));
+
+  Object* object = heap->AllocateJSObjectFromMap(*my_map).ToObjectChecked();
+  CHECK(new_space->Contains(object));
+  JSObject* jsobject = JSObject::cast(object);
+  CHECK_EQ(0, FixedArray::cast(jsobject->elements())->length());
+  CHECK_EQ(0, jsobject->properties()->length());
+  // Create a reference to object in new space in jsobject.
+  FieldIndex index = FieldIndex::ForInObjectOffset(
+      JSObject::kHeaderSize - kPointerSize);
+  jsobject->FastPropertyAtPut(index, array);
+
+  CHECK_EQ(0, static_cast<int>(*limit_addr - *top_addr));
+
+  // Step 4: clone jsobject, but force always allocate first to create a clone
+  // in old pointer space.
+  Address old_space_top = heap->old_space()->top();
+  AlwaysAllocateScope aa_scope(isolate);
+  Object* clone_obj = heap->CopyJSObject(jsobject).ToObjectChecked();
+  JSObject* clone = JSObject::cast(clone_obj);
+  if (clone->address() != old_space_top) {
+    // Alas, got allocated from free list, we cannot do checks.
+    return;
+  }
+  CHECK(heap->old_space()->Contains(clone->address()));
+}
+
+
 UNINITIALIZED_TEST(TestCodeFlushing) {
  // If we do not flush code this test is invalid.
  if (!FLAG_flush_code) return;
@@ -3612,6 +3691,38 @@ TEST(CountForcedGC) {
 }


+TEST(Regress2237) {
+  i::FLAG_stress_compaction = false;
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Factory* factory = isolate->factory();
+  v8::HandleScope scope(CcTest::isolate());
+  Handle<String> slice(CcTest::heap()->empty_string());
+
+  {
+    // Generate a parent that lives in new-space.
+    v8::HandleScope inner_scope(CcTest::isolate());
+    const char* c = "This text is long enough to trigger sliced strings.";
+    Handle<String> s = factory->NewStringFromAsciiChecked(c);
+    CHECK(s->IsSeqOneByteString());
+    CHECK(CcTest::heap()->InNewSpace(*s));
+
+    // Generate a sliced string that is based on the above parent and
+    // lives in old-space.
+    SimulateFullSpace(CcTest::heap()->new_space());
+    AlwaysAllocateScope always_allocate(isolate);
+    Handle<String> t = factory->NewProperSubString(s, 5, 35);
+    CHECK(t->IsSlicedString());
+    CHECK(!CcTest::heap()->InNewSpace(*t));
+    *slice.location() = *t.location();
+  }
+
+  CHECK(SlicedString::cast(*slice)->parent()->IsSeqOneByteString());
+  CcTest::heap()->CollectAllGarbage();
+  CHECK(SlicedString::cast(*slice)->parent()->IsSeqOneByteString());
+}
+
+
 #ifdef OBJECT_PRINT
 TEST(PrintSharedFunctionInfo) {
  CcTest::InitializeVM();

--- a/test/cctest/test-strings.cc
+++ b/test/cctest/test-strings.cc
@@ -642,7 +642,6 @@ static inline void PrintStats(const ConsStringGenerationData& data) {

 template<typename BuildString>
 void TestStringCharacterStream(BuildString build, int test_cases) {
-  FLAG_gc_global = true;
  CcTest::InitializeVM();
  Isolate* isolate = CcTest::i_isolate();
  HandleScope outer_scope(isolate);

--- a/test/cctest/test-unboxed-doubles.cc
+++ b/test/cctest/test-unboxed-doubles.cc
@@ -1404,6 +1404,89 @@ TEST(StoreBufferScanOnScavenge) {
 }


+static int LenFromSize(int size) {
+  return (size - FixedArray::kHeaderSize) / kPointerSize;
+}
+
+
+HEAP_TEST(WriteBarriersInCopyJSObject) {
+  FLAG_max_semi_space_size = 1;  // Ensure new space is not growing.
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Heap* heap = CcTest::heap();
+
+  v8::HandleScope scope(CcTest::isolate());
+
+  // The plan: create JSObject which contains unboxed double value that looks
+  // like a reference to an object in new space.
+  // Then clone this object (forcing it to go into old space) and check
+  // that the value of the unboxed double property of the cloned object has
+  // was not corrupted by GC.
+
+  // Step 1: prepare a map for the object. We add unboxed double property to it.
+  // Create a map with single inobject property.
+  Handle<Map> my_map = Map::Create(isolate, 1);
+  Handle<String> name = isolate->factory()->InternalizeUtf8String("foo");
+  my_map = Map::CopyWithField(my_map, name, HeapType::Any(isolate), NONE,
+                              Representation::Double(),
+                              INSERT_TRANSITION).ToHandleChecked();
+
+  int object_size = my_map->instance_size();
+
+  // Step 2: allocate a lot of objects so to almost fill new space: we need
+  // just enough room to allocate JSObject and thus fill the newspace.
+
+  int allocation_amount =
+      Min(FixedArray::kMaxSize, Page::kMaxRegularHeapObjectSize + kPointerSize);
+  int allocation_len = LenFromSize(allocation_amount);
+  NewSpace* new_space = heap->new_space();
+  DisableInlineAllocationSteps(new_space);
+  Address* top_addr = new_space->allocation_top_address();
+  Address* limit_addr = new_space->allocation_limit_address();
+  while ((*limit_addr - *top_addr) > allocation_amount) {
+    CHECK(!heap->always_allocate());
+    Object* array = heap->AllocateFixedArray(allocation_len).ToObjectChecked();
+    CHECK(new_space->Contains(array));
+  }
+
+  // Step 3: now allocate fixed array and JSObject to fill the whole new space.
+  int to_fill = static_cast<int>(*limit_addr - *top_addr - object_size);
+  int fixed_array_len = LenFromSize(to_fill);
+  CHECK(fixed_array_len < FixedArray::kMaxLength);
+
+  CHECK(!heap->always_allocate());
+  Object* array = heap->AllocateFixedArray(fixed_array_len).ToObjectChecked();
+  CHECK(new_space->Contains(array));
+
+  Object* object = heap->AllocateJSObjectFromMap(*my_map).ToObjectChecked();
+  CHECK(new_space->Contains(object));
+  JSObject* jsobject = JSObject::cast(object);
+  CHECK_EQ(0, FixedArray::cast(jsobject->elements())->length());
+  CHECK_EQ(0, jsobject->properties()->length());
+
+  // Construct a double value that looks like a pointer to the new space object
+  // and store it into the obj.
+  Address fake_object = reinterpret_cast<Address>(array) + kPointerSize;
+  double boom_value = bit_cast<double>(fake_object);
+  FieldIndex index = FieldIndex::ForDescriptor(*my_map, 0);
+  jsobject->RawFastDoublePropertyAtPut(index, boom_value);
+
+  CHECK_EQ(0, static_cast<int>(*limit_addr - *top_addr));
+
+  // Step 4: clone jsobject, but force always allocate first to create a clone
+  // in old pointer space.
+  AlwaysAllocateScope aa_scope(isolate);
+  Object* clone_obj = heap->CopyJSObject(jsobject).ToObjectChecked();
+  Handle<JSObject> clone(JSObject::cast(clone_obj));
+  CHECK(heap->old_space()->Contains(clone->address()));
+
+  CcTest::heap()->CollectGarbage(NEW_SPACE, "boom");
+
+  // The value in cloned object should not be corrupted by GC.
+  CHECK_EQ(boom_value, clone->RawFastDoublePropertyAt(index));
+}
+
+
 static void TestWriteBarrier(Handle<Map> map, Handle<Map> new_map,
                             int tagged_descriptor, int double_descriptor,
                             bool check_tagged_value = true) {