From: vegorov@chromium.org Date: Thu, 28 Apr 2011 16:03:40 +0000 (+0000) Subject: Fix missing writebarrier in ArraySplice builtin. X-Git-Tag: upstream/4.7.83~19557 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1c950e04cc9869c77e2549e1d2db694614b4648a;p=platform%2Fupstream%2Fv8.git Fix missing writebarrier in ArraySplice builtin. Review URL: http://codereview.chromium.org/6883227 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7706 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/builtins.cc b/src/builtins.cc index ae3dab4..377de05 100644 --- a/src/builtins.cc +++ b/src/builtins.cc @@ -838,8 +838,8 @@ BUILTIN(ArraySplice) { const int delta = actual_delete_count - item_count; if (actual_start > 0) { - Object** start = elms->data_start(); - memmove(start + delta, start, actual_start * kPointerSize); + AssertNoAllocation no_gc; + MoveElements(heap, &no_gc, elms, delta, elms, 0, actual_start); } elms = LeftTrimFixedArray(heap, elms, delta); diff --git a/test/mjsunit/regress/splice-missing-wb.js b/test/mjsunit/regress/splice-missing-wb.js new file mode 100644 index 0000000..5ff0d81 --- /dev/null +++ b/test/mjsunit/regress/splice-missing-wb.js @@ -0,0 +1,56 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --expose-gc + +// Create array large enough to span several page regions. +var a = new Array(500); + +// Fill it with values. +for (var i = 0; i < a.length; i++) a[i] = {idx:i}; + +// Force it into oldspace. +gc(); +gc(); + +// Array should be in old space now. Store young object into array. +// Region will be marked. +a[0] = {idx:0}; + +// Delete elements a[2] .. a[201]. Internally we will use +// trimming of backing store. a[0] a[1] will be moved to +// memory location previously occupied by a[200] a[201]. +a.splice(2, 200); + +// Force gc and heap verification. +gc(); + +// Try accessing a[0].idx. It will segfault if write-barrier was accidentally +// omitted. +assertEquals(0, a[0].idx); +assertEquals(1, a[1].idx); +assertEquals(202, a[2].idx);