[heap] Allow PreparseData in large object space

Since the PreparseData now directly contains the byte data inline it can grow very large as well. Bug: chromium:923264 Change-Id: I456d5bcbfb40587b283584f726d9e084061fd30f Reviewed-on: https://chromium-review.googlesource.com/c/1421321Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#58953}

[heap] Allow PreparseData in large object space
Since the PreparseData now directly contains the byte data inline it can grow very large as well. Bug: chromium:923264 Change-Id: I456d5bcbfb40587b283584f726d9e084061fd30f Reviewed-on: https://chromium-review.googlesource.com/c/1421321Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#58953}
c45a2eff · Camillo Bruni · Commit Bot · bf17cd21 · c45a2eff · c45a2eff
Commit c45a2eff authored Jan 18, 2019 by Camillo Bruni Committed by Commit Bot Jan 21, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 2 deletions

spaces.cc src/heap/spaces.cc +7 -2

regress-crbug-923264.js test/mjsunit/regress/regress-crbug-923264.js +27 -0

No files found.
--- a/src/heap/spaces.cc
+++ b/src/heap/spaces.cc
@@ -3670,14 +3670,19 @@ void LargeObjectSpace::Verify(Isolate* isolate) {
          heap()->read_only_space()->Contains(map));
    // We have only the following types in the large object space:
-    CHECK(object->IsAbstractCode() || object->IsSeqString() ||
+    if (!(object->IsAbstractCode() || object->IsSeqString() ||
          object->IsExternalString() || object->IsThinString() ||
          object->IsFixedArray() || object->IsFixedDoubleArray() ||
          object->IsWeakFixedArray() || object->IsWeakArrayList() ||
          object->IsPropertyArray() || object->IsByteArray() ||
          object->IsFeedbackVector() || object->IsBigInt() ||
          object->IsFreeSpace() || object->IsFeedbackMetadata() ||
-          object->IsContext() || object->IsUncompiledDataWithoutPreparseData());
+          object->IsContext() ||
+          object->IsUncompiledDataWithoutPreparseData() ||
+          object->IsPreparseData())) {
+      FATAL("Found invalid Object (instance_type=%i) in large object space.",
+            object->map()->instance_type());
+    }
    // The object itself should look OK.
    object->ObjectVerify(isolate);

--- a/test/mjsunit/regress/regress-crbug-923264.js
+++ b/test/mjsunit/regress/regress-crbug-923264.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --verify-heap --expose-gc
+let paramName = '';
+for (let i=0; i < 2**10; i++) {
+  paramName += 'a';
+}
+let params = '';
+for (let i = 0; i < 2**10; i++) {
+  params += paramName + i + ',';
+}
+let fn = eval(`(
+  class A {
+    constructor (${params}) {
+      function lazy() {
+        return function lazier() { return ${paramName+1} }
+      };
+      return lazy;
+    }
+})`);
+gc()