Skip to content

V
V8
Commit ebf8ec5c authored by ishell's avatar ishell Committed by Commit bot
Browse files
Options

Fix JSFunction's in-object properties initialization. 

BUG=v8:4572
LOG=Y

Review URL: https://codereview.chromium.org/1481493003

Cr-Commit-Position: refs/heads/master@{#32268}
parent 05dda9e2
Hide whitespace changes
Inline Side-by-side
Showing with 28 additions and 33 deletions
src/factory.cc
View file @ ebf8ec5c
......@@ -1173,9 +1173,13 @@ DEFINE_ERROR(TypeError, type_error)
#undef DEFINE_ERROR
void Factory::InitializeFunction(Handle<JSFunction> function,
Handle<SharedFunctionInfo> info,
Handle<Context> context) {
Handle<JSFunction> Factory::NewFunction(Handle<Map> map,
Handle<SharedFunctionInfo> info,
Handle<Context> context,
PretenureFlag pretenure) {
AllocationSpace space = pretenure == TENURED ? OLD_SPACE : NEW_SPACE;
Handle<JSFunction> function = New<JSFunction>(map, space);
function->initialize_properties();
function->initialize_elements();
function->set_shared(*info);
......@@ -1184,17 +1188,8 @@ void Factory::InitializeFunction(Handle<JSFunction> function,
function->set_prototype_or_initial_map(*the_hole_value());
function->set_literals_or_bindings(*empty_fixed_array());
function->set_next_function_link(*undefined_value(), SKIP_WRITE_BARRIER);
}
Handle<JSFunction> Factory::NewFunction(Handle<Map> map,
Handle<SharedFunctionInfo> info,
Handle<Context> context,
PretenureFlag pretenure) {
AllocationSpace space = pretenure == TENURED ? OLD_SPACE : NEW_SPACE;
Handle<JSFunction> result = New<JSFunction>(map, space);
InitializeFunction(result, info, context);
return result;
isolate()->heap()->InitializeJSObjectBody(*function, *map, JSFunction::kSize);
return function;
}
......
src/factory.h
View file @ ebf8ec5c
......@@ -695,14 +695,6 @@ class Factory final {
// Update the cache with a new number-string pair.
void SetNumberStringCache(Handle<Object> number, Handle<String> string);
// Initializes a function with a shared part and prototype.
// Note: this code was factored out of NewFunction such that other parts of
// the VM could use it. Specifically, a function that creates instances of
// type JS_FUNCTION_TYPE benefit from the use of this function.
inline void InitializeFunction(Handle<JSFunction> function,
Handle<SharedFunctionInfo> info,
Handle<Context> context);
// Creates a function initialized with a shared part.
Handle<JSFunction> NewFunction(Handle<Map> map,
Handle<SharedFunctionInfo> info,
......
src/heap/heap.cc
View file @ ebf8ec5c
......@@ -3432,6 +3432,14 @@ void Heap::InitializeJSObjectFromMap(JSObject* obj, FixedArray* properties,
// fixed array (e.g. Heap::empty_fixed_array()). Currently, the object
// verification code has to cope with (temporarily) invalid objects. See
// for example, JSArray::JSArrayVerify).
InitializeJSObjectBody(obj, map, JSObject::kHeaderSize);
}
void Heap::InitializeJSObjectBody(JSObject* obj, Map* map, int start_offset) {
if (start_offset == map->instance_size()) return;
DCHECK_LT(start_offset, map->instance_size());
Object* filler;
// We cannot always fill with one_pointer_filler_map because objects
// created from API functions expect their internal fields to be initialized
......@@ -3448,7 +3456,7 @@ void Heap::InitializeJSObjectFromMap(JSObject* obj, FixedArray* properties,
} else {
filler = Heap::undefined_value();
}
obj->InitializeBody(map, Heap::undefined_value(), filler);
obj->InitializeBody(map, start_offset, Heap::undefined_value(), filler);
}
......
src/heap/heap.h
View file @ ebf8ec5c
......@@ -1728,6 +1728,10 @@ class Heap {
// Initializes a JSObject based on its map.
void InitializeJSObjectFromMap(JSObject* obj, FixedArray* properties,
Map* map);
// Initializes JSObject body starting at given offset.
void InitializeJSObjectBody(JSObject* obj, Map* map, int start_offset);
void InitializeAllocationMemento(AllocationMemento* memento,
AllocationSite* allocation_site);
......
src/objects-inl.h
View file @ ebf8ec5c
......@@ -2288,7 +2288,7 @@ Object* JSObject::InObjectPropertyAtPut(int index,
}
void JSObject::InitializeBody(Map* map,
void JSObject::InitializeBody(Map* map, int start_offset,
Object* pre_allocated_value,
Object* filler_value) {
DCHECK(!filler_value->IsHeapObject() ||
......@@ -2296,7 +2296,7 @@ void JSObject::InitializeBody(Map* map,
DCHECK(!pre_allocated_value->IsHeapObject() ||
!GetHeap()->InNewSpace(pre_allocated_value));
int size = map->instance_size();
int offset = kHeaderSize;
int offset = start_offset;
if (filler_value != pre_allocated_value) {
int end_of_pre_allocated_offset =
size - (map->unused_property_fields() * kPointerSize);
......
src/objects.h
View file @ ebf8ec5c
......@@ -2346,14 +2346,13 @@ class JSObject: public JSReceiver {
bool from_javascript,
ShouldThrow should_throw);
// Initializes the body after properties slot, properties slot is
// initialized by set_properties. Fill the pre-allocated fields with
// Initializes the body starting at |start_offset|. It is responsibility of
// the caller to initialize object header. Fill the pre-allocated fields with
// pre_allocated_value and the rest with filler_value.
// Note: this call does not update write barrier, the caller is responsible
// to ensure that |filler_value| can be collected without WB here.
inline void InitializeBody(Map* map,
Object* pre_allocated_value,
Object* filler_value);
inline void InitializeBody(Map* map, int start_offset,
Object* pre_allocated_value, Object* filler_value);
// Check whether this object references another object
bool ReferencesObject(Object* obj);
......
test/mjsunit/mjsunit.status
View file @ ebf8ec5c
......@@ -281,9 +281,6 @@
'harmony/arrow-rest-params': [PASS, NO_VARIANTS],
'harmony/rest-params': [PASS, ['no_snap == True', NO_VARIANTS]],
# BUG(v8:4572).
'es6/classes-subclass-builtins': [PASS, ['no_snap == True', NO_VARIANTS]],
# Slow tests.
'copy-on-write-assert': [PASS, SLOW],
'debug-scopes': [PASS, SLOW],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment