[v8-dev] [v8] r9678 committed - Fix assert by reordering the initialization of the arguments boilerpla...

codesite-noreply Tue, 18 Oct 2011 04:35:42 -0700

Revision: 9678
Author:   [email protected]
Date:     Tue Oct 18 04:32:57 2011

Log: Fix assert by reordering the initialization of the argumentsboilerplate.


If a GC happened during initialization (when allocating the elements array)

of the non_strict_arguments_boilerplate, heap verification would fail withthe following assert:

ASSERT_EQ((map()->has_fast_elements() ||map()->has_fast_smi_only_elements()),

            (elements()->map() == GetHeap()->fixed_array_map() ||
             elements()->map() == GetHeap()->fixed_cow_array_map()));

This was not harmful since the boilerplate was setup
correctly immediatly afterwards.

Simplified the setup code by removing a call to GetElementsTransitionMap.It always return the same map as

the input object in this case and is therefore unnecessary.


Added more assertions to verify well-formed non-strict
arguments backing store.

BUG=v8:1520
TEST=no more flaky tests with failing this assert.

Review URL: http://codereview.chromium.org/8336021
http://code.google.com/p/v8/source/detail?r=9678

Modified:
 /branches/bleeding_edge/src/bootstrapper.cc
 /branches/bleeding_edge/src/objects-debug.cc
 /branches/bleeding_edge/src/objects-inl.h

=======================================
--- /branches/bleeding_edge/src/bootstrapper.cc Tue Oct 18 04:18:55 2011
+++ /branches/bleeding_edge/src/bootstrapper.cc Tue Oct 18 04:32:57 2011
@@ -1084,11 +1084,6 @@
   }

   {  // --- aliased_arguments_boilerplate_
-    Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
-    Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
-    new_map->set_pre_allocated_property_fields(2);
-    Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
-    new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
     // Set up a well-formed parameter map to make assertions happy.
     Handle<FixedArray> elements = factory->NewFixedArray(2);
     elements->set_map(heap->non_strict_arguments_elements_map());
@@ -1097,12 +1092,16 @@
     elements->set(0, *array);
     array = factory->NewFixedArray(0);
     elements->set(1, *array);
-    Handle<Map> non_strict_arguments_elements_map =
-        factory->GetElementsTransitionMap(result,
-                                          NON_STRICT_ARGUMENTS_ELEMENTS);
-    result->set_map(*non_strict_arguments_elements_map);
-    ASSERT(result->HasNonStrictArgumentsElements());
+
+    Handle<Map> old_map(global_context()->arguments_boilerplate()->map());
+    Handle<Map> new_map = factory->CopyMapDropTransitions(old_map);
+    new_map->set_pre_allocated_property_fields(2);
+    Handle<JSObject> result = factory->NewJSObjectFromMap(new_map);
+    // Set elements kind after allocating the object because
+    // NewJSObjectFromMap assumes a fast elements map.
+    new_map->set_elements_kind(NON_STRICT_ARGUMENTS_ELEMENTS);
     result->set_elements(*elements);
+    ASSERT(result->HasNonStrictArgumentsElements());
     global_context()->set_aliased_arguments_boilerplate(*result);
   }

=======================================
--- /branches/bleeding_edge/src/objects-debug.cc        Tue Oct  4 08:54:57 2011
+++ /branches/bleeding_edge/src/objects-debug.cc        Tue Oct 18 04:32:57 2011
@@ -263,6 +263,12 @@
 void JSObject::JSObjectVerify() {
   VerifyHeapPointer(properties());
   VerifyHeapPointer(elements());
+
+  if (GetElementsKind() == NON_STRICT_ARGUMENTS_ELEMENTS) {
+    ASSERT(this->elements()->IsFixedArray());
+    ASSERT(this->elements()->length() >= 2);
+  }
+
   if (HasFastProperties()) {
     CHECK_EQ(map()->unused_property_fields(),
              (map()->inobject_properties() + properties()->length() -
=======================================
--- /branches/bleeding_edge/src/objects-inl.h   Mon Oct 17 05:44:16 2011
+++ /branches/bleeding_edge/src/objects-inl.h   Tue Oct 18 04:32:57 2011
@@ -4088,14 +4088,16 @@
       reinterpret_cast<FixedArrayBase*>(READ_FIELD(this, kElementsOffset));
   Map* map = fixed_array->map();
     ASSERT(((kind == FAST_ELEMENTS || kind == FAST_SMI_ONLY_ELEMENTS) &&
-          (map == GetHeap()->fixed_array_map() ||
-           map == GetHeap()->fixed_cow_array_map())) ||
-         (kind == FAST_DOUBLE_ELEMENTS &&
-          fixed_array->IsFixedDoubleArray()) ||
-         (kind == DICTIONARY_ELEMENTS &&
-          fixed_array->IsFixedArray() &&
-          fixed_array->IsDictionary()) ||
-         (kind > DICTIONARY_ELEMENTS));
+            (map == GetHeap()->fixed_array_map() ||
+             map == GetHeap()->fixed_cow_array_map())) ||
+           (kind == FAST_DOUBLE_ELEMENTS &&
+            fixed_array->IsFixedDoubleArray()) ||
+           (kind == DICTIONARY_ELEMENTS &&
+            fixed_array->IsFixedArray() &&
+            fixed_array->IsDictionary()) ||
+           (kind > DICTIONARY_ELEMENTS));
+    ASSERT((kind != NON_STRICT_ARGUMENTS_ELEMENTS) ||
+           (elements()->IsFixedArray() && elements()->length() >= 2));
 #endif
   return kind;
 }

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

[v8-dev] [v8] r9678 committed - Fix assert by reordering the initialization of the arguments boilerpla...

Reply via email to