Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: test/cctest/test-heap.cc

Issue 11931037: Out of bounds memory access in TestJSArrayForAllocationSiteInfo. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Removed temporary change in ia32 macro assembler Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« src/ia32/macro-assembler-ia32.cc ('K') | « src/x64/macro-assembler-x64.cc ('k') | test/mjsunit/allocation-site-info.js » ('j') | test/mjsunit/allocation-site-info.js » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 2
3 #include <stdlib.h> 3 #include <stdlib.h>
4 4
5 #include "v8.h" 5 #include "v8.h"
6 6
7 #include "compilation-cache.h" 7 #include "compilation-cache.h"
8 #include "execution.h" 8 #include "execution.h"
9 #include "factory.h" 9 #include "factory.h"
10 #include "macro-assembler.h" 10 #include "macro-assembler.h"
(...skipping 2676 matching lines...) Expand 10 before | Expand all | Expand 10 after
2687 #ifdef DEBUG 2687 #ifdef DEBUG
2688 FLAG_stop_at = "f"; 2688 FLAG_stop_at = "f";
2689 #endif 2689 #endif
2690 CompileRun("%OptimizeFunctionOnNextCall(g);" 2690 CompileRun("%OptimizeFunctionOnNextCall(g);"
2691 "g(false);"); 2691 "g(false);");
2692 2692
2693 // Finish garbage collection cycle. 2693 // Finish garbage collection cycle.
2694 HEAP->CollectAllGarbage(Heap::kNoGCFlags); 2694 HEAP->CollectAllGarbage(Heap::kNoGCFlags);
2695 CHECK(shared1->code()->gc_metadata() == NULL); 2695 CHECK(shared1->code()->gc_metadata() == NULL);
2696 } 2696 }
2697
2698
2699 // Helper function that simulates a fill new-space in the heap.
2700 static inline void AllocateAllButNBytes(v8::internal::NewSpace* space,
2701 int extra_bytes) {
2702 int space_remaining = static_cast<int>(
2703 *space->allocation_limit_address() - *space->allocation_top_address());
2704 CHECK(space_remaining >= extra_bytes);
2705 int new_linear_size = space_remaining - extra_bytes;
2706 v8::internal::MaybeObject* maybe = space->AllocateRaw(new_linear_size);
2707 v8::internal::FreeListNode* node = v8::internal::FreeListNode::cast(maybe);
2708 node->set_size(space->heap(), new_linear_size);
2709 }
2710
2711
2712 TEST(Regress169928) {
2713 i::FLAG_allow_natives_syntax = true;
2714 i::FLAG_crankshaft = false;
2715 InitializeVM();
2716 v8::HandleScope scope;
2717
2718 // Some flags turn Scavenge collections into Mark-sweep collections
2719 // and hence are incompatible with this test case.
2720 if (FLAG_gc_global || FLAG_stress_compaction) return;
2721
2722 // Prepare the environment
2723 CompileRun("function fastliteralcase(literal, value) {"
2724 " literal[0] = value;"
2725 " return literal;"
2726 "}"
2727 "function get_standard_literal() {"
2728 " var literal = [1, 2, 3];"
2729 " return literal;"
2730 "}"
2731 "obj = fastliteralcase(get_standard_literal(), 1);"
2732 "obj = fastliteralcase(get_standard_literal(), 1.5);"
2733 "obj = fastliteralcase(get_standard_literal(), 2);");
2734
2735 // prepare the heap
2736 v8::Local<v8::String> mote_code_string =
2737 v8_str("fastliteralcase(mote, 2.5);");
2738
2739 v8::Local<v8::String> array_name = v8_str("mote");
2740 v8::Context::GetCurrent()->Global()->Set(array_name, v8::Int32::New(0));
2741
2742 // First make sure we flip spaces
2743 #ifdef DEBUG
2744 Address* limit_addr = HEAP->new_space()->allocation_limit_address();
2745 Address limit = *limit_addr;
2746 #endif
2747 HEAP->CollectGarbage(NEW_SPACE);
2748 // Paranoid...make sure we really flipped spaces.
2749 ASSERT(limit != *limit_addr);
Michael Starzinger 2013/01/21 09:54:26 I think we can drop the assertion whether the limi
mvstanton 2013/01/21 12:25:40 Done.
2750
2751 // Allocate the object.
2752 Handle<FixedArray> array_data = FACTORY->NewFixedArray(2, NOT_TENURED);
2753 array_data->set(0, Smi::FromInt(1));
2754 array_data->set(1, Smi::FromInt(2));
2755
2756 AllocateAllButNBytes(HEAP->new_space(),
2757 JSArray::kSize + AllocationSiteInfo::kSize +
Michael Starzinger 2013/01/21 09:54:26 Wouldn't it be better to just allocate the array c
mvstanton 2013/01/21 12:25:40 Actually in this case we do need it. The crash wil
2758 kPointerSize);
2759
2760 Handle<JSArray> array = FACTORY->NewJSArrayWithElements(array_data,
2761 FAST_SMI_ELEMENTS,
2762 NOT_TENURED);
2763
2764 CHECK_EQ(Smi::FromInt(2), array->length());
2765 CHECK(array->HasFastSmiOrObjectElements());
2766
2767 // We need filler the size of AllocationSiteInfo object, plus an extra
2768 // fill pointer value.
2769 MaybeObject* maybe_object = HEAP->AllocateRaw(
2770 AllocationSiteInfo::kSize + kPointerSize, NEW_SPACE, OLD_POINTER_SPACE);
2771 Object* obj = NULL;
2772 CHECK(maybe_object->ToObject(&obj));
2773 Address addr_obj = reinterpret_cast<Address>(
2774 reinterpret_cast<byte*>(obj - kHeapObjectTag));
2775 HEAP->CreateFillerObjectAt(addr_obj,
2776 AllocationSiteInfo::kSize + kPointerSize);
2777
2778 // Give the array a name, making sure not to allocate strings.
2779 v8::Handle<v8::Object> array_obj = v8::Utils::ToLocal(array);
2780 v8::Context::GetCurrent()->Global()->Set(array_name, array_obj);
2781
2782 // This should crash with a protection violation if we are running a build
2783 // with the bug.
2784 AlwaysAllocateScope aa_scope;
2785 v8::Script::Compile(mote_code_string)->Run();
2786 }
OLDNEW
« src/ia32/macro-assembler-ia32.cc ('K') | « src/x64/macro-assembler-x64.cc ('k') | test/mjsunit/allocation-site-info.js » ('j') | test/mjsunit/allocation-site-info.js » ('J')

Powered by Google App Engine
This is Rietveld 408576698