Make new space iterable when transitioning double array to objects

R=hpayer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/228643002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20603 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/arm/codegen-arm.cc

@@ -562,7 +562,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   //  -- r3    : target map, scratch for subsequent call
   //  -- r4    : scratch (elements)
   // -----------------------------------
-  Label entry, loop, convert_hole, gc_required, only_change_map;
+  Label entry, loop, convert_hole, gc_required, gc_cleanup, only_change_map;
 
   if (mode == TRACK_ALLOCATION_SITE) {
     __ JumpIfJSArrayHasAllocationMemento(r2, r4, fail);
@@ -604,6 +604,15 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   // r9: heap number map
   __ b(&entry);
 
+  __ bind(&gc_cleanup);
+#ifdef VERIFY_HEAP
+  // Make sure new space is iterable if we are verifying the heap.
+  __ mov(r0, Operand(masm->isolate()->factory()->one_pointer_filler_map()));
+  __ str(r0, MemOperand(r3, 4, PostIndex));
+  __ cmp(r3, r5);
+  __ b(lt, &gc_cleanup);
+#endif
+
   // Call into runtime if GC is required.
   __ bind(&gc_required);
   __ Pop(r3, r2, r1, r0);
@@ -618,7 +627,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   __ b(eq, &convert_hole);
 
   // Non-hole double, copy value into a heap number.
-  __ AllocateHeapNumber(r2, r0, lr, r9, &gc_required);
+  __ AllocateHeapNumber(r2, r0, lr, r9, &gc_cleanup);
   // r2: new heap number
   __ ldr(r0, MemOperand(r4, 12, NegOffset));
   __ Strd(r0, r1, FieldMemOperand(r2, HeapNumber::kValueOffset));

src/arm64/codegen-arm64.cc

@@ -324,6 +324,16 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   Label entry;
   __ B(&entry);
 
+  Label gc_cleanup;
+  __ Bind(&gc_cleanup);
+#ifdef VERIFY_HEAP
+  // Make sure new space is iterable if we are verifying the heap.
+  __ Mov(x5, Operand(masm->isolate()->factory()->one_pointer_filler_map()));
+  __ Str(x5, MemOperand(dst_elements, kPointerSize, PostIndex));
+  __ Cmp(dst_elements, dst_end);
+  __ B(lt, &gc_cleanup);
+#endif
+
   // Call into runtime if GC is required.
   __ Bind(&gc_required);
   __ Pop(value, key, receiver, target_map);
@@ -339,7 +349,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
 
     // Non-hole double, copy value into a heap number.
     Register heap_num = x5;
-    __ AllocateHeapNumber(heap_num, &gc_required, x6, x4,
+    __ AllocateHeapNumber(heap_num, &gc_cleanup, x6, x4,
                           x13, heap_num_map);
     __ Mov(x13, dst_elements);
     __ Str(heap_num, MemOperand(dst_elements, kPointerSize, PostIndex));

src/ia32/codegen-ia32.cc

@@ -783,7 +783,8 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   //  -- edx    : receiver
   //  -- esp[0] : return address
   // -----------------------------------
-  Label loop, entry, convert_hole, gc_required, only_change_map, success;
+  Label loop, entry, convert_hole, gc_required, gc_cleanup, only_change_map,
+      success;
 
   if (mode == TRACK_ALLOCATION_SITE) {
     __ JumpIfJSArrayHasAllocationMemento(edx, edi, fail);
@@ -829,8 +830,16 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
                       OMIT_SMI_CHECK);
   __ jmp(&success);
 
-  // Call into runtime if GC is required.
+  __ bind(&gc_cleanup);
+#ifdef VERIFY_HEAP
+  // Make sure new space is iterable if we are verifying the heap.
+  __ mov(edx, masm->isolate()->factory()->one_pointer_filler_map());
+  __ mov(FieldOperand(eax, ebx, times_2, FixedArray::kHeaderSize), edx);
+  __ sub(ebx, Immediate(Smi::FromInt(1)));
+  __ j(not_sign, &gc_cleanup);
+#endif
   __ bind(&gc_required);
+  // Call into runtime if GC is required.
   __ mov(esi, Operand(ebp, StandardFrameConstants::kContextOffset));
   __ pop(ebx);
   __ pop(edx);
@@ -847,7 +856,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   __ j(equal, &convert_hole);
 
   // Non-hole double, copy value into a heap number.
-  __ AllocateHeapNumber(edx, esi, no_reg, &gc_required);
+  __ AllocateHeapNumber(edx, esi, no_reg, &gc_cleanup);
   // edx: new heap number
   if (CpuFeatures::IsSupported(SSE2)) {
     CpuFeatureScope fscope(masm, SSE2);

src/x64/codegen-x64.cc

@@ -369,7 +369,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   //  -- rdx    : receiver
   //  -- rsp[0] : return address
   // -----------------------------------
-  Label loop, entry, convert_hole, gc_required, only_change_map;
+  Label loop, entry, convert_hole, gc_required, gc_cleanup, only_change_map;
 
   if (mode == TRACK_ALLOCATION_SITE) {
     __ JumpIfJSArrayHasAllocationMemento(rdx, rdi, fail);
@@ -402,6 +402,19 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   // rdi: pointer to the-hole
   __ jmp(&entry);
 
+  __ bind(&gc_cleanup);
+#ifdef VERIFY_HEAP
+  // Make sure new space is iterable if we are verifying the heap.
+  __ Move(rax, masm->isolate()->factory()->one_pointer_filler_map());
+  __ movp(FieldOperand(r11,
+                       r9,
+                       times_pointer_size,
+                       FixedArray::kHeaderSize),
+          rax);
+  __ decp(r9);
+  __ j(not_sign, &gc_cleanup);
+#endif
+
   // Call into runtime if GC is required.
   __ bind(&gc_required);
   __ Pop(rax);
@@ -420,7 +433,7 @@ void ElementsTransitionGenerator::GenerateDoubleToObject(
   __ j(equal, &convert_hole);
 
   // Non-hole double, copy value into a heap number.
-  __ AllocateHeapNumber(rax, r15, &gc_required);
+  __ AllocateHeapNumber(rax, r15, &gc_cleanup);
   // rax: new heap number
   __ movq(FieldOperand(rax, HeapNumber::kValueOffset), r14);
   __ movp(FieldOperand(r11,

test/mjsunit/regress/regress-transition-elements-heap-verification.js

+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc --allow-natives-syntax --verify-heap --stress-compaction
+
+%SetAllocationTimeout(1000000, 1000000);
+
+function classOf(object) {
+  var string = Object.prototype.toString.call(object);
+  return string.substring(8, string.length - 1);
+}
+
+function PrettyPrint() { }
+
+function fail() { }
+
+function deepEquals(a, b) {
+  if (a === b) return true;
+  var objectClass = classOf(a);
+  var objectClassB = classOf(b);
+  if (objectClass !== objectClassB) return false;
+}
+
+function assertEquals(expected, found, name_opt) {
+  deepEquals(found, expected);
+  fail(PrettyPrint());
+}
+
+function assertTrue(value, name_opt) { assertEquals(true, value, name_opt); }
+
+var __v_3 = {};
+
+assertEquals(true, true);
+
+Object.prototype.__defineGetter__(0, function() { } );
+var __v_9 = { };
+
+function __f_11(obj) {
+  if (%HasFastObjectElements(obj)) return __v_9.dummy2;
+  assertTrue(true);
+}
+
+function __f_10(expected, obj) {
+  assertEquals(true, __f_11(obj));
+}
+
+var __sequence = undefined + 1;
+
+function __f_12() {
+  this.__sequence = this.__sequence + 1;
+  return eval("/* " + this.__sequence + " */  [-5, 3, 9];");
+}
+
+function __f_15() {
+  var __v_8 = __f_12();
+  __v_8[0] = 0;
+  __f_10(__v_9.dummy1, __v_3);
+  return __v_8;
+}
+
+function __f_9() {
+  var __v_8 = __f_15();
+  __v_8[0] = 1.5;
+  __f_10("", __v_8);
+  return __v_8;
+}
+
+function __f_8(array, value, kind) {
+  array[1] = value;
+  __f_10("", array);
+  assertEquals(true, array[1]);
+}
+
+gc();
+%SetAllocationTimeout(100000, 150);
+
+function __f_14() {
+  __f_8(__f_15(), 1.5);
+  __f_8(__f_9(), "x");
+}
+
+__f_14();