Reviewers: Vyacheslav Egorov,
Description:
Fix assert by reordering the initialization of the arguments boilerplate.
If a GC happened during initialization (when allocating the elements array)
of the non_strict_arguments_boilerplate, heap verification would fail with
the
following assert:
ASSERT_EQ((map()->has_fast_elements() ||
map()->has_fast_smi_only_elements()),
(elements()->map() == GetHeap()->fixed_array_map() ||
elements()->map() == GetHeap()->fixed_cow_array_map()));
This was not harmful since the boilerplate was setup
correctly immediatly afterwards.
Simplified the setup code by removing a call to GetElementsTransitionMap. It
always return the same map as
the input object in this case and is therefore unnecessary.
Added more assertions to verify well-formed non-strict
arguments backing store.
BUG=v8:1520
TEST=no more flaky tests with failing this assert.
Please review this at http://codereview.chromium.org/8336021/
SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/
Affected files:
M src/bootstrapper.cc
M src/objects-debug.cc
M src/objects-inl.h
Index: src/bootstrapper.cc
===================================================================
--- src/bootstrapper.cc (revision 9668)
+++ src/bootstrapper.cc (working copy)
@@ -1084,11 +1084,6 @@
}
{ // --- aliased_arguments_boilerplate_
- Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
- Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
- new_map->set_pre_allocated_property_fields(2);
- Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
- new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
// Set up a well-formed parameter map to make assertions happy.
Handle<FixedArray> elements = factory->NewFixedArray(2);
elements->set_map(heap->non_strict_arguments_elements_map());
@@ -1097,12 +1092,16 @@
elements->set(0, *array);
array = factory->NewFixedArray(0);
elements->set(1, *array);
- Handle<Map> non_strict_arguments_elements_map =
- factory->GetElementsTransitionMap(result,
- NON_STRICT_ARGUMENTS_ELEMENTS);
- result->set_map(*non_strict_arguments_elements_map);
- ASSERT(result->HasNonStrictArgumentsElements());
+
+ Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
+ Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
+ new_map->set_pre_allocated_property_fields(2);
+ Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
+ // Set elements kind after allocating the object because
+ // NewJSObjectFromMap assumes a fast elements map.
+ new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
result->set_elements(*elements);
+ ASSERT(result->HasNonStrictArgumentsElements());
global_context()->set_aliased_arguments_boilerplate(*result);
}
Index: src/objects-debug.cc
===================================================================
--- src/objects-debug.cc (revision 9668)
+++ src/objects-debug.cc (working copy)
@@ -263,6 +263,12 @@
void JSObject::JSObjectVerify() {
VerifyHeapPointer(properties());
VerifyHeapPointer(elements());
+
+ if (GetElementsKind() == NON_STRICT_ARGUMENTS_ELEMENTS) {
+ ASSERT(this->elements()->IsFixedArray());
+ ASSERT(this->elements()->length() >= 2);
+ }
+
if (HasFastProperties()) {
CHECK_EQ(map()->unused_property_fields(),
(map()->inobject_properties() + properties()->length() -
Index: src/objects-inl.h
===================================================================
--- src/objects-inl.h (revision 9668)
+++ src/objects-inl.h (working copy)
@@ -4096,6 +4096,8 @@
fixed_array->IsFixedArray() &&
fixed_array->IsDictionary()) ||
(kind > DICTIONARY_ELEMENTS));
+ ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
+ (elements()->IsFixedArray() && elements()->length() >= 2));
#endif
return kind;
}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
