From: mstarzinger@chromium.org Date: Fri, 16 Aug 2013 15:10:07 +0000 (+0000) Subject: Mark HStringCompareAndBranch as potentially causing GCs. X-Git-Tag: upstream/4.7.83~12934 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=3e4fbd0e8574f9bdf97f8925ec3df55840623b1b;p=platform%2Fupstream%2Fv8.git Mark HStringCompareAndBranch as potentially causing GCs. This also adds a %SetAllocationTimout runtime function which helps to write regression tests that need to trigger a GC at a certain point in program execution. R=hpayer@chromium.org BUG=chromium:274438 TEST=mjsunit/regress/regress-crbug-274438 Review URL: https://codereview.chromium.org/22933006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16205 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- diff --git a/src/heap.cc b/src/heap.cc index 9d8a6fa..623ec31 100644 --- a/src/heap.cc +++ b/src/heap.cc @@ -4013,10 +4013,10 @@ MaybeObject* Heap::AllocateByteArray(int length, PretenureFlag pretenure) { return AllocateByteArray(length); } int size = ByteArray::SizeFor(length); + AllocationSpace space = + (size > Page::kMaxNonCodeHeapObjectSize) ? LO_SPACE : OLD_DATA_SPACE; Object* result; - { MaybeObject* maybe_result = (size <= Page::kMaxNonCodeHeapObjectSize) - ? old_data_space_->AllocateRaw(size) - : lo_space_->AllocateRaw(size, NOT_EXECUTABLE); + { MaybeObject* maybe_result = AllocateRaw(size, space, space); if (!maybe_result->ToObject(&result)) return maybe_result; } diff --git a/src/heap.h b/src/heap.h index 78c0e5b..e0ffa63 100644 --- a/src/heap.h +++ b/src/heap.h @@ -1490,6 +1490,10 @@ class Heap { inline bool IsInGCPostProcessing() { return gc_post_processing_depth_ > 0; } #ifdef DEBUG + void set_allocation_timeout(int timeout) { + allocation_timeout_ = timeout; + } + bool disallow_allocation_failure() { return disallow_allocation_failure_; } diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h index 41f9d0d..10a3111 100644 --- a/src/hydrogen-instructions.h +++ b/src/hydrogen-instructions.h @@ -4081,6 +4081,7 @@ class HStringCompareAndBranch: public HTemplateControlInstruction<2, 3> { SetOperandAt(1, left); SetOperandAt(2, right); set_representation(Representation::Tagged()); + SetGVNFlag(kChangesNewSpacePromotion); } HValue* context() { return OperandAt(0); } diff --git a/src/runtime.cc b/src/runtime.cc index 10de6f9..6553044 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -8635,6 +8635,19 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_CompileForOnStackReplacement) { } +RUNTIME_FUNCTION(MaybeObject*, Runtime_SetAllocationTimeout) { + SealHandleScope shs(isolate); + ASSERT(args.length() == 2); +#ifdef DEBUG + CONVERT_SMI_ARG_CHECKED(interval, 0); + CONVERT_SMI_ARG_CHECKED(timeout, 1); + isolate->heap()->set_allocation_timeout(timeout); + FLAG_gc_interval = interval; +#endif + return isolate->heap()->undefined_value(); +} + + RUNTIME_FUNCTION(MaybeObject*, Runtime_CheckIsBootstrapping) { SealHandleScope shs(isolate); RUNTIME_ASSERT(isolate->bootstrapper()->IsActive()); diff --git a/src/runtime.h b/src/runtime.h index 23e91f2..a9a7d4a 100644 --- a/src/runtime.h +++ b/src/runtime.h @@ -101,6 +101,7 @@ namespace internal { F(GetOptimizationStatus, -1, 1) \ F(GetOptimizationCount, 1, 1) \ F(CompileForOnStackReplacement, 1, 1) \ + F(SetAllocationTimeout, 2, 1) \ F(AllocateInNewSpace, 1, 1) \ F(AllocateInOldPointerSpace, 1, 1) \ F(AllocateInOldDataSpace, 1, 1) \ diff --git a/test/mjsunit/regress/regress-crbug-274438.js b/test/mjsunit/regress/regress-crbug-274438.js new file mode 100644 index 0000000..5d6817d --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-274438.js @@ -0,0 +1,43 @@ +// Copyright 2013 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --allow-natives-syntax + +function f(a, b) { + var x = { a:a }; + switch(b) { case "string": } + var y = { b:b }; + return y; +} + +f("a", "b"); +f("a", "b"); +%OptimizeFunctionOnNextCall(f); +f("a", "b"); +%SetAllocationTimeout(100, 0); +var killer = f("bang", "bo" + "om"); +assertEquals("boom", killer.b);