[heap] Fix top_on_previous_step_ check in PagedSpace::AllocateRaw.

Both the top_ pointer and the top_on_previous_step_ pointer can be one byte beyond the current page. Page::FromAddress call should take that into account. Bug: chromium:777177 Change-Id: I9cbb5bc6eab932afc6d0c915fd70a9a7b20ba62c Reviewed-on: https://chromium-review.googlesource.com/738204 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#48962}

[heap] Fix top_on_previous_step_ check in PagedSpace::AllocateRaw.
Both the top_ pointer and the top_on_previous_step_ pointer can be one byte beyond the current page. Page::FromAddress call should take that into account. Bug: chromium:777177 Change-Id: I9cbb5bc6eab932afc6d0c915fd70a9a7b20ba62c Reviewed-on: https://chromium-review.googlesource.com/738204 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#48962}
7f8f2833 · Ulan Degenbaev · Commit Bot · 7876d4e0 · 7f8f2833 · 7f8f2833
Commit 7f8f2833 authored Oct 26, 2017 by Ulan Degenbaev Committed by Commit Bot Oct 26, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 51 additions and 9 deletions

spaces-inl.h src/heap/spaces-inl.h +7 -4

heap-tester.h test/cctest/heap/heap-tester.h +1 -0

test-spaces.cc test/cctest/heap/test-spaces.cc +43 -5

No files found.
--- a/src/heap/spaces-inl.h
+++ b/src/heap/spaces-inl.h
@@ -370,10 +370,13 @@ AllocationResult PagedSpace::AllocateRawAligned(int size_in_bytes,
 AllocationResult PagedSpace::AllocateRaw(int size_in_bytes,
                                         AllocationAlignment alignment) {
-  if (top() < top_on_previous_step_) {
+  if (top_on_previous_step_ && top() < top_on_previous_step_ &&
-    // Generated code decreased the top() pointer to do folded allocations
+      SupportsInlineAllocation()) {
-    DCHECK_EQ(Page::FromAddress(top()),
+    // Generated code decreased the top() pointer to do folded allocations.
-              Page::FromAddress(top_on_previous_step_));
+    // The top_on_previous_step_ can be one byte beyond the current page.
+    DCHECK_NOT_NULL(top());
+    DCHECK_EQ(Page::FromAllocationAreaAddress(top()),
+              Page::FromAllocationAreaAddress(top_on_previous_step_ - 1));
    top_on_previous_step_ = top();
  }
  size_t bytes_since_last =

--- a/test/cctest/heap/heap-tester.h
+++ b/test/cctest/heap/heap-tester.h
@@ -40,6 +40,7 @@
  V(Regress658718)                                        \
  V(Regress670675)                                        \
  V(Regress5831)                                          \
+  V(Regress777177)                                        \
  V(RegressMissingWriteBarrierInAllocate)                 \
  V(WriteBarriersInCopyJSObject)

--- a/test/cctest/heap/test-spaces.cc
+++ b/test/cctest/heap/test-spaces.cc
@@ -80,8 +80,6 @@ class TestCodeRangeScope {
  DISALLOW_COPY_AND_ASSIGN(TestCodeRangeScope);
 };
-namespace test_spaces {
 static void VerifyMemoryChunk(Isolate* isolate,
                              Heap* heap,
                              CodeRange* code_range,
@@ -136,7 +134,6 @@ static void VerifyMemoryChunk(Isolate* isolate,
  delete memory_allocator;
 }
 TEST(Regress3540) {
  Isolate* isolate = CcTest::i_isolate();
  Heap* heap = isolate->heap();
@@ -562,7 +559,6 @@ UNINITIALIZED_TEST(AllocationObserver) {
  isolate->Dispose();
 }
 UNINITIALIZED_TEST(InlineAllocationObserverCadence) {
  v8::Isolate::CreateParams create_params;
  create_params.array_buffer_allocator = CcTest::array_buffer_allocator();
@@ -600,6 +596,49 @@ UNINITIALIZED_TEST(InlineAllocationObserverCadence) {
  isolate->Dispose();
 }
+HEAP_TEST(Regress777177) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Heap* heap = isolate->heap();
+  HandleScope scope(isolate);
+  PagedSpace* old_space = heap->old_space();
+  Observer observer(128);
+  old_space->AddAllocationObserver(&observer);
+  int area_size = old_space->AreaSize();
+  int max_object_size = kMaxRegularHeapObjectSize;
+  int filler_size = area_size - max_object_size;
+  {
+    // Ensure a new linear allocation area on a fresh page.
+    AlwaysAllocateScope always_allocate(isolate);
+    heap::SimulateFullSpace(old_space);
+    AllocationResult result = old_space->AllocateRaw(filler_size, kWordAligned);
+    HeapObject* obj = result.ToObjectChecked();
+    heap->CreateFillerObjectAt(obj->address(), filler_size,
+                               ClearRecordedSlots::kNo);
+  }
+  {
+    // Allocate all bytes of the linear allocation area. This moves top_ and
+    // top_on_previous_step_ to the next page.
+    AllocationResult result =
+        old_space->AllocateRaw(max_object_size, kWordAligned);
+    HeapObject* obj = result.ToObjectChecked();
+    // Simulate allocation folding moving the top pointer back.
+    old_space->SetTopAndLimit(obj->address(), old_space->limit());
+  }
+  {
+    // This triggers assert in crbug.com/777177.
+    AllocationResult result = old_space->AllocateRaw(filler_size, kWordAligned);
+    HeapObject* obj = result.ToObjectChecked();
+    heap->CreateFillerObjectAt(obj->address(), filler_size,
+                               ClearRecordedSlots::kNo);
+  }
+  old_space->RemoveAllocationObserver(&observer);
+}
 TEST(ShrinkPageToHighWaterMarkFreeSpaceEnd) {
  FLAG_stress_incremental_marking = false;
  CcTest::InitializeVM();
@@ -704,7 +743,6 @@ TEST(ShrinkPageToHighWaterMarkTwoWordFiller) {
  CHECK_EQ(0u, shrunk);
 }
-}  // namespace test_spaces
 }  // namespace heap
 }  // namespace internal
 }  // namespace v8