The Elements pointer in a JSObject can have a filler map instead of a

valid fixed array, iff a gc occurred while allocating a fixed array as part of array construction. Heap verification needs protection against examining the elements object in this case. R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/43383004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17397 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

The Elements pointer in a JSObject can have a filler map instead of a
valid fixed array, iff a gc occurred while allocating a fixed array as part of array construction. Heap verification needs protection against examining the elements object in this case. R=svenpanne@chromium.org Review URL: https://codereview.chromium.org/43383004 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17397 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
a85c825b · mvstanton@chromium.org · 7dd2d6c5 · a85c825b · a85c825b · a85c825b
Commit a85c825b authored Oct 25, 2013 by mvstanton@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 21 deletions

objects-debug.cc src/objects-debug.cc +9 -6

objects-inl.h src/objects-inl.h +17 -12

objects.h src/objects.h +5 -0

mjsunit.status test/mjsunit/mjsunit.status +0 -3

No files found.
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -335,9 +335,7 @@ void JSObject::JSObjectVerify() {

  // If a GC was caused while constructing this object, the elements
  // pointer may point to a one pointer filler map.
-  if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
-      (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map())) {
+  if (ElementsAreSafeToExamine()) {
    CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
              (elements() == GetHeap()->empty_fixed_array())),
             (elements()->map() == GetHeap()->fixed_array_map() ||
@@ -698,9 +696,7 @@ void JSArray::JSArrayVerify() {
  CHECK(length()->IsNumber() || length()->IsUndefined());
  // If a GC was caused while constructing this array, the elements
  // pointer may point to a one pointer filler map.
-  if ((FLAG_use_gvn && FLAG_use_allocation_folding) ||
-      (reinterpret_cast<Map*>(elements()) !=
-      GetHeap()->one_pointer_filler_map())) {
+  if (ElementsAreSafeToExamine()) {
    CHECK(elements()->IsUndefined() ||
          elements()->IsFixedArray() ||
          elements()->IsFixedDoubleArray());
@@ -1143,6 +1139,13 @@ void JSObject::SpillInformation::Print() {
 }


+bool JSObject::ElementsAreSafeToExamine() {
+  return (FLAG_use_gvn && FLAG_use_allocation_folding) ||
+      reinterpret_cast<Map*>(elements()) !=
+      GetHeap()->one_pointer_filler_map();
+}
+
+
 bool DescriptorArray::IsSortedNoDuplicates(int valid_entries) {
  if (valid_entries == -1) valid_entries = number_of_descriptors();
  Name* current_key = NULL;

--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -5516,19 +5516,24 @@ ElementsKind JSObject::GetElementsKind() {
 #if DEBUG
  FixedArrayBase* fixed_array =
      reinterpret_cast<FixedArrayBase*>(READ_FIELD(this, kElementsOffset));
-  Map* map = fixed_array->map();
-  ASSERT((IsFastSmiOrObjectElementsKind(kind) &&
-          (map == GetHeap()->fixed_array_map() ||
-           map == GetHeap()->fixed_cow_array_map())) ||
-         (IsFastDoubleElementsKind(kind) &&
-          (fixed_array->IsFixedDoubleArray() ||
-           fixed_array == GetHeap()->empty_fixed_array())) ||
-         (kind == DICTIONARY_ELEMENTS &&
+
+  // If a GC was caused while constructing this object, the elements
+  // pointer may point to a one pointer filler map.
+  if (ElementsAreSafeToExamine()) {
+    Map* map = fixed_array->map();
+    ASSERT((IsFastSmiOrObjectElementsKind(kind) &&
+            (map == GetHeap()->fixed_array_map() ||
+             map == GetHeap()->fixed_cow_array_map())) ||
+           (IsFastDoubleElementsKind(kind) &&
+            (fixed_array->IsFixedDoubleArray() ||
+             fixed_array == GetHeap()->empty_fixed_array())) ||
+           (kind == DICTIONARY_ELEMENTS &&
            fixed_array->IsFixedArray() &&
-          fixed_array->IsDictionary()) ||
-         (kind > DICTIONARY_ELEMENTS));
-  ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
-         (elements()->IsFixedArray() && elements()->length() >= 2));
+            fixed_array->IsDictionary()) ||
+           (kind > DICTIONARY_ELEMENTS));
+    ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
+           (elements()->IsFixedArray() && elements()->length() >= 2));
+  }
 #endif
  return kind;
 }

--- a/src/objects.h
+++ b/src/objects.h
@@ -2590,6 +2590,11 @@ class JSObject: public JSReceiver {
  };

  void IncrementSpillStatistics(SpillInformation* info);
+
+  // If a GC was caused while constructing this object, the elements pointer
+  // may point to a one pointer filler map. The object won't be rooted, but
+  // our heap verification code could stumble across it.
+  bool ElementsAreSafeToExamine();
 #endif
  Object* SlowReverseLookup(Object* value);


--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -33,9 +33,6 @@
  # TODO(mvstanton) Re-enable when the performance is bearable again.
  'regress/regress-2185-2': [SKIP],

-  # TODO(mvstanton) Re-enable when the bug is fixed.
-  'regress/regress-2612': [PASS, ['mode == debug', SKIP]],
-
  ##############################################################################
  # Fails.
  'regress/regress-1119': [FAIL],