Fast-to-slow migration should wipe out in-object space if it exists in the object after migration.

BUG=chromium:436816 LOG=N Review URL: https://codereview.chromium.org/765473004 Cr-Commit-Position: refs/heads/master@{#25535}

Fast-to-slow migration should wipe out in-object space if it exists in the object after migration.
BUG=chromium:436816 LOG=N Review URL: https://codereview.chromium.org/765473004 Cr-Commit-Position: refs/heads/master@{#25535}
916d56d0 · ishell · Commit bot · 4590e4f4 · 916d56d0 · 916d56d0
Commit 916d56d0 authored Nov 27, 2014 by ishell Committed by Commit bot Nov 27, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 54 additions and 1 deletion

objects-inl.h src/objects-inl.h +1 -1

objects.cc src/objects.cc +8 -0

test-unboxed-doubles.cc test/cctest/test-unboxed-doubles.cc +45 -0

No files found.
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -5342,7 +5342,7 @@ void Map::AppendDescriptor(Descriptor* desc) {

 Object* Map::GetBackPointer() {
  Object* object = READ_FIELD(this, kTransitionsOrBackPointerOffset);
-  if (object->IsDescriptorArray()) {
+  if (object->IsTransitionArray()) {
    return TransitionArray::cast(object)->back_pointer_storage();
  } else {
    DCHECK(object->IsMap() || object->IsUndefined());

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -4418,6 +4418,14 @@ void JSObject::MigrateFastToSlow(Handle<JSObject> object,

  object->set_properties(*dictionary);

+  // Ensure that in-object space of slow-mode object does not contain random
+  // garbage.
+  int inobject_properties = new_map->inobject_properties();
+  for (int i = 0; i < inobject_properties; i++) {
+    FieldIndex index = FieldIndex::ForPropertyIndex(*new_map, i);
+    object->RawFastPropertyAtPut(index, Smi::FromInt(0));
+  }
+
  isolate->counters()->props_to_dictionary()->Increment();

 #ifdef DEBUG

--- a/test/cctest/test-unboxed-doubles.cc
+++ b/test/cctest/test-unboxed-doubles.cc
@@ -603,6 +603,51 @@ TEST(LayoutDescriptorAppendIfFastOrUseFullAllDoubles) {
 }


+TEST(Regress436816) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Factory* factory = isolate->factory();
+  v8::HandleScope scope(CcTest::isolate());
+
+  const int kPropsCount = kSmiValueSize * 3;
+  PropertyKind props[kPropsCount];
+  for (int i = 0; i < kPropsCount; i++) {
+    props[i] = PROP_DOUBLE;
+  }
+  Handle<DescriptorArray> descriptors =
+      CreateDescriptorArray(isolate, props, kPropsCount);
+
+  Handle<Map> map = Map::Create(isolate, kPropsCount);
+  Handle<LayoutDescriptor> layout_descriptor =
+      LayoutDescriptor::New(map, descriptors, kPropsCount);
+  map->InitializeDescriptors(*descriptors, *layout_descriptor);
+
+  Handle<JSObject> object = factory->NewJSObjectFromMap(map, TENURED);
+
+  Address fake_address = reinterpret_cast<Address>(~kHeapObjectTagMask);
+  HeapObject* fake_object = HeapObject::FromAddress(fake_address);
+  CHECK(fake_object->IsHeapObject());
+
+  double boom_value = bit_cast<double>(fake_object);
+  for (int i = 0; i < kPropsCount; i++) {
+    FieldIndex index = FieldIndex::ForDescriptor(*map, i);
+    CHECK(map->IsUnboxedDoubleField(index));
+    object->RawFastDoublePropertyAtPut(index, boom_value);
+  }
+  CHECK(object->HasFastProperties());
+  CHECK(!object->map()->HasFastPointerLayout());
+
+  Handle<Map> normalized_map =
+      Map::Normalize(map, KEEP_INOBJECT_PROPERTIES, "testing");
+  JSObject::MigrateToMap(object, normalized_map);
+  CHECK(!object->HasFastProperties());
+  CHECK(object->map()->HasFastPointerLayout());
+
+  // Trigger GCs and heap verification.
+  CcTest::heap()->CollectAllGarbage(i::Heap::kNoGCFlags);
+}
+
+
 TEST(StoreBufferScanOnScavenge) {
  CcTest::InitializeVM();
  Isolate* isolate = CcTest::i_isolate();