[heap] Fix elements / properties backing store accounting.

Avoid divide by zero for empty elements backing stores, and generally don't account for empty_property_array / empty_fixed_array. Bug: v8:7266 Change-Id: I5d1c5f43165810f7ec3bcebf3caf1bc737b46e59 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559865 Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#60724}

[heap] Fix elements / properties backing store accounting.
Avoid divide by zero for empty elements backing stores, and generally don't account for empty_property_array / empty_fixed_array. Bug: v8:7266 Change-Id: I5d1c5f43165810f7ec3bcebf3caf1bc737b46e59 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559865 Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#60724}
cb989656 · Benedikt Meurer · Commit Bot · 0b1e9ef2 · cb989656
Commit cb989656 authored Apr 09, 2019 by Benedikt Meurer Committed by Commit Bot Apr 09, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 11 deletions

object-stats.cc src/heap/object-stats.cc +14 -11

No files found.
--- a/src/heap/object-stats.cc
+++ b/src/heap/object-stats.cc
@@ -553,13 +553,13 @@ void ObjectStatsCollectorImpl::RecordVirtualJSObjectDetails(JSObject object) {
  // Properties.
  if (object->HasFastProperties()) {
    PropertyArray properties = object->property_array();
-    size_t over_allocated = ObjectStats::kNoOverAllocation;
    if (properties != ReadOnlyRoots(heap_).empty_property_array()) {
-      over_allocated += object->map()->UnusedPropertyFields() * kTaggedSize;
+      size_t over_allocated =
+          object->map()->UnusedPropertyFields() * kTaggedSize;
+      RecordVirtualObjectStats(object, properties,
+                               ObjectStats::OBJECT_PROPERTY_ARRAY_TYPE,
+                               properties->Size(), over_allocated);
    }
-    RecordVirtualObjectStats(object, properties,
-                             ObjectStats::OBJECT_PROPERTY_ARRAY_TYPE,
-                             properties->Size(), over_allocated);
  } else {
    NameDictionary properties = object->property_dictionary();
    RecordHashTableVirtualObjectStats(
@@ -574,12 +574,15 @@ void ObjectStatsCollectorImpl::RecordVirtualJSObjectDetails(JSObject object) {
        object->IsJSArray() ? ObjectStats::ARRAY_DICTIONARY_ELEMENTS_TYPE
                            : ObjectStats::OBJECT_DICTIONARY_ELEMENTS_TYPE);
  } else if (object->IsJSArray()) {
-    size_t element_size =
+    if (elements != ReadOnlyRoots(heap_).empty_fixed_array()) {
-        (elements->Size() - FixedArrayBase::kHeaderSize) / elements->length();
+      size_t element_size =
-    uint32_t length = JSArray::cast(object)->length()->Number();
+          (elements->Size() - FixedArrayBase::kHeaderSize) / elements->length();
-    size_t over_allocated = (elements->length() - length) * element_size;
+      uint32_t length = JSArray::cast(object)->length()->Number();
-    RecordVirtualObjectStats(object, elements, ObjectStats::ARRAY_ELEMENTS_TYPE,
+      size_t over_allocated = (elements->length() - length) * element_size;
-                             elements->Size(), over_allocated);
+      RecordVirtualObjectStats(object, elements,
+                               ObjectStats::ARRAY_ELEMENTS_TYPE,
+                               elements->Size(), over_allocated);
+    }
  } else {
    RecordSimpleVirtualObjectStats(object, elements,
                                   ObjectStats::OBJECT_ELEMENTS_TYPE);