Revision: 23114
Author: ja...@chromium.org
Date: Thu Aug 14 07:41:33 2014 UTC
Log: Fix pointer iteration for maps.
BUG=
R=hpa...@chromium.org
Review URL: https://codereview.chromium.org/475463003
http://code.google.com/p/v8/source/detail?r=23114
Modified:
/branches/bleeding_edge/src/heap/store-buffer.cc
/branches/bleeding_edge/test/cctest/test-heap.cc
=======================================
--- /branches/bleeding_edge/src/heap/store-buffer.cc Mon Aug 11 14:22:24
2014 UTC
+++ /branches/bleeding_edge/src/heap/store-buffer.cc Thu Aug 14 07:41:33
2014 UTC
@@ -486,10 +486,11 @@
heap_object = iterator.Next()) {
// We skip free space objects.
if (!heap_object->IsFiller()) {
+ DCHECK(heap_object->IsMap());
FindPointersToNewSpaceInRegion(
- heap_object->address() + HeapObject::kHeaderSize,
- heap_object->address() + heap_object->Size(),
slot_callback,
- clear_maps);
+ heap_object->address() +
Map::kPointerFieldsBeginOffset,
+ heap_object->address() + Map::kPointerFieldsEndOffset,
+ slot_callback, clear_maps);
}
}
} else {
=======================================
--- /branches/bleeding_edge/test/cctest/test-heap.cc Tue Aug 5 19:37:32
2014 UTC
+++ /branches/bleeding_edge/test/cctest/test-heap.cc Thu Aug 14 07:41:33
2014 UTC
@@ -4473,6 +4473,51 @@
// when it calls heap->AdjustLiveBytes(...).
JSObject::MigrateToMap(o, map2);
}
+
+
+TEST(RegressStoreBufferMapUpdate) {
+ CcTest::InitializeVM();
+ v8::HandleScope scope(CcTest::isolate());
+ Isolate* isolate = CcTest::i_isolate();
+ Factory* factory = isolate->factory();
+ Heap* heap = isolate->heap();
+
+ // This test checks that we do not treat instance size field of the map
+ // as a heap pointer when processing the store buffer.
+
+ Handle<Map> map1 = Map::Create(isolate->object_function(), 1);
+
+ // Allocate a throw-away object.
+ factory->NewFixedArray(1, NOT_TENURED);
+
+ // Allocate a new-space object that will be moved by the GC (because
+ // the throw-away object will die).
+ Handle<FixedArray> object_to_move = factory->NewFixedArray(1,
NOT_TENURED);
+
+ // Record the address before the GC.
+ Object* object_to_move_address = *object_to_move;
+
+ // Smash the new space pointer to the moving object into the instance
size
+ // field of the map. The idea is to trick the GC into updating this
pointer
+ // when the object moves. This would be wrong because instance size
should
+ // not be treated as a heap pointer.
+ *(reinterpret_cast<Object**>(map1->address() +
Map::kInstanceSizeOffset)) =
+ object_to_move_address;
+
+ // Make sure we scan the map's page on scavenge.
+ Page* page = Page::FromAddress(map1->address());
+ page->set_scan_on_scavenge(true);
+
+ heap->CollectGarbage(NEW_SPACE);
+
+ // Check the object has really moved.
+ CHECK(*object_to_move != object_to_move_address);
+
+ // Now check that we have not updated the instance size field of the map.
+ CHECK_EQ(object_to_move_address,
+ *(reinterpret_cast<Object**>(map1->address() +
+ Map::kInstanceSizeOffset)));
+}
#ifdef DEBUG
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
