[heap] After left trimming, verify that we don't have pointers to the filler object.

BUG=chromium:859809 Change-Id: I9ac81585c7f141cb1839ff7de237e0930f44e634 Reviewed-on: https://chromium-review.googlesource.com/1124450Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#54219}

[heap] After left trimming, verify that we don't have pointers to the filler object.
BUG=chromium:859809 Change-Id: I9ac81585c7f141cb1839ff7de237e0930f44e634 Reviewed-on: https://chromium-review.googlesource.com/1124450Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#54219}
67c10796 · Marja Hölttä · Commit Bot · 916e35d7 · 67c10796 · 67c10796
Commit 67c10796 authored Jul 04, 2018 by Marja Hölttä Committed by Commit Bot Jul 04, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 0 deletions

elements.cc src/elements.cc +3 -0

heap.cc src/heap/heap.cc +33 -0

No files found.
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -2278,6 +2278,9 @@ class FastElementsAccessor : public ElementsAccessorBase<Subclass, KindTraits> {
    Handle<BackingStore> dst_elms = Handle<BackingStore>::cast(backing_store);
    if (len > JSArray::kMaxCopyElements && dst_index == 0 &&
        heap->CanMoveObjectStart(*dst_elms)) {
+      // Remove all the pointers to the FixedArrayBase we're going to left trim
+      // from the heap.
+      receiver->set_elements(heap->empty_fixed_array());
      // Update all the copies of this backing_store handle.
      *dst_elms.location() =
          BackingStore::cast(heap->LeftTrimFixedArray(*dst_elms, src_index));

--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -2840,6 +2840,29 @@ bool Heap::IsImmovable(HeapObject* object) {
  return chunk->NeverEvacuate() || chunk->owner()->identity() == LO_SPACE;
 }

+#ifdef ENABLE_SLOW_DCHECKS
+namespace {
+
+class LeftTrimmerVerifierRootVisitor : public RootVisitor {
+ public:
+  explicit LeftTrimmerVerifierRootVisitor(FixedArrayBase* to_check)
+      : to_check_(to_check) {}
+
+  virtual void VisitRootPointers(Root root, const char* description,
+                                 Object** start, Object** end) {
+    for (Object** p = start; p < end; ++p) {
+      DCHECK_NE(*p, to_check_);
+    }
+  }
+
+ private:
+  FixedArrayBase* to_check_;
+
+  DISALLOW_COPY_AND_ASSIGN(LeftTrimmerVerifierRootVisitor);
+};
+}  // namespace
+#endif  // ENABLE_SLOW_DCHECKS
+
 FixedArrayBase* Heap::LeftTrimFixedArray(FixedArrayBase* object,
                                         int elements_to_trim) {
  CHECK_NOT_NULL(object);
@@ -2895,6 +2918,16 @@ FixedArrayBase* Heap::LeftTrimFixedArray(FixedArrayBase* object,

  // Notify the heap profiler of change in object layout.
  OnMoveEvent(new_object, object, new_object->Size());
+
+#ifdef ENABLE_SLOW_DCHECKS
+  if (FLAG_enable_slow_asserts) {
+    // Make sure the stack or other roots (e.g., Handles) don't contain pointers
+    // to the original FixedArray (which is now the filler object).
+    LeftTrimmerVerifierRootVisitor root_visitor(object);
+    IterateRoots(&root_visitor, VISIT_ALL);
+  }
+#endif  // ENABLE_SLOW_DCHECKS
+
  return new_object;
 }