[v8-dev] Merged r14063, r14064 into trunk branch. (issue 12843031)

Mon, 25 Mar 2013 09:23:16 -0700 

Reviewers: Toon Verwaest,

Description:
Merged r14063, r14064 into trunk branch.
Fix crash involving zombie maps escaping from the JSON parser's underground lab 

Fix store_mode bug involving polymorphism with external and JS arrays.

R=verwa...@chromium.org
BUG=


Please review this at https://codereview.chromium.org/12843031/

SVN Base: https://v8.googlecode.com/svn/trunk

Affected files:
  M src/ic.cc
  M src/objects-inl.h
  M src/version.cc
  A + test/mjsunit/regress/external-and-normal-array-polymorphim.js


Index: src/ic.cc
diff --git a/src/ic.cc b/src/ic.cc
index c1d11bbb90678b646f8904673d61e3874f0bb872..71f2c30652ffc32acda8c1dee7eea7151fc34f09 100644 
--- a/src/ic.cc
+++ b/src/ic.cc
@@ -1771,6 +1771,26 @@ Handle<Code> KeyedStoreIC::StoreElementStub(Handle<JSObject> receiver, 
     }
   }
+ // If the store mode isn't the standard mode, make sure that all polymorphic + // receivers are either external arrays, or all "normal" arrays. Otherwise, 
+  // use the generic stub.
+  if (store_mode != STANDARD_STORE) {
+    int external_arrays = 0;
+    for (int i = 0; i < target_receiver_maps.length(); ++i) {
+      if (target_receiver_maps[i]->has_external_array_elements()) {
+        external_arrays++;
+      }
+    }
+    if (external_arrays != 0 &&
+        external_arrays != target_receiver_maps.length()) {
+      TRACE_GENERIC_IC(isolate(), "KeyedIC",
+          "unsupported combination of external and normal arrays");
+      return strict_mode == kStrictMode
+          ? generic_stub_strict()
+          : generic_stub();
+    }
+  }
+
   return isolate()->stub_cache()->ComputeStoreElementPolymorphic(
       &target_receiver_maps, store_mode, strict_mode);
 }
Index: src/objects-inl.h
diff --git a/src/objects-inl.h b/src/objects-inl.h
index 02542612b86c9e66654ba45b4fc08aa0190a8ef0..ba0a7f87bc3664b56b7f98a7c54cd9a9d9fc39ae 100644 
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1490,7 +1490,7 @@ MaybeObject* JSObject::AddFastPropertyUsingMap(Map* map) { 
 bool JSObject::TryTransitionToField(Handle<JSObject> object,
                                     Handle<Name> key) {
   if (!object->map()->HasTransitionArray()) return false;
-  Handle<TransitionArray> transitions(object->map()->transitions());
+  TransitionArray* transitions = object->map()->transitions();
   int transition = transitions->Search(*key);
   if (transition == TransitionArray::kNotFound) return false;
PropertyDetails target_details = transitions->GetTargetDetails(transition); 
@@ -4125,9 +4125,12 @@ TransitionArray* Map::transitions() {

 void Map::set_transitions(TransitionArray* transition_array,
                           WriteBarrierMode mode) {
-  // In release mode, only run this code if verify_heap is on.
-  if (Heap::ShouldZapGarbage() && HasTransitionArray()) {
-    CHECK(transitions() != transition_array);
+  // Transition arrays are not shared. When one is replaced, it should not
+  // keep referenced objects alive, so we zap it.
+ // When there is another reference to the array somewhere (e.g. a handle), 
+  // not zapping turns from a waste of memory into a source of crashes.
+  if (HasTransitionArray()) {
+    ASSERT(transitions() != transition_array);
     ZapTransitions();
   }

Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index 1af64a5e8815ec95b1e23cb830e49bf814ab0463..a55d7bcd86c6bcdd0124b3e624e78968fd668aac 100644 
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     17
 #define BUILD_NUMBER      15
-#define PATCH_LEVEL       2
+#define PATCH_LEVEL       3
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/external-and-normal-array-polymorphim.js
diff --git a/test/mjsunit/copy-on-write-assert.js b/test/mjsunit/regress/external-and-normal-array-polymorphim.js 
similarity index 81%
copy from test/mjsunit/copy-on-write-assert.js
copy to test/mjsunit/regress/external-and-normal-array-polymorphim.js
index 0e78c77befe4c4794446923c0bcf45df27c6fbac..59fada413c6f4c0e489b13d746a768d5cdac3d9e 100644 
--- a/test/mjsunit/copy-on-write-assert.js
+++ b/test/mjsunit/regress/external-and-normal-array-polymorphim.js
@@ -25,18 +25,26 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-function createLargeCOWArray() {
-  var s = "[0";
-  // The constant below depends on the max object size in new space.
-  for (var i = 0; i < (128 << 10); i++) {
-    s += ",0";
+// Flags: --compiled_keyed_stores --compiled_transitions
+
+function store_generator(compare) {
+  return function(a,i,v) {
+    a[i] = v;
+    assertEquals(compare, a[i]);
+    assertEquals(compare, a[i]);
   }
-  s += "]";
-  return eval(s);
 }

-var large_cow_array = createLargeCOWArray();
+f = store_generator(5);
+a = [0,0,0];
+f(a,0,5);
+a = [0,0,0];
+f(a,1,5);
+a = [0,0,0];
+f(a,2,5);

-// Force copy. Because the array is large it will test the slow array
-// cloning in large object space.
-large_cow_array[17] = 42;
+f = store_generator(5.5);
+a = new Float32Array(5);
+f(a,0,5.5);
+f(a,1,5.5);
+f(a,2,5.5);


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to