From: mvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 11 Sep 2013 13:39:11 +0000 (+0000)
Subject: To diagnose chromium bug 284577, some additional CHECKS. TODOs are
X-Git-Tag: upstream/4.7.83~12558
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6790b83748d9fc8747db7c9e20e92049559b8cf2;p=platform%2Fupstream%2Fv8.git

To diagnose chromium bug 284577, some additional CHECKS. TODOs are
added so these can be backed out once the cause of the bug is determined.

BUG=
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/23936007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16654 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index ebdf1d4..7b623b5 100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -1824,7 +1824,8 @@ void HGraphBuilder::BuildCompareNil(
 HValue* HGraphBuilder::BuildCreateAllocationMemento(HValue* previous_object,
                                                     int previous_object_size,
                                                     HValue* alloc_site) {
-  ASSERT(alloc_site != NULL);
+  // TODO(mvstanton): ASSERT altered to CHECK to diagnose chromium bug 284577
+  CHECK(alloc_site != NULL);
   HInnerAllocatedObject* alloc_memento = Add<HInnerAllocatedObject>(
       previous_object, previous_object_size);
   Handle<Map> alloc_memento_map(
diff --git a/src/objects-debug.cc b/src/objects-debug.cc
index 883afe9..3716df1 100644
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -329,11 +329,17 @@ void JSObject::JSObjectVerify() {
       }
     }
   }
-  CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
-             (elements() == GetHeap()->empty_fixed_array())),
-            (elements()->map() == GetHeap()->fixed_array_map() ||
-             elements()->map() == GetHeap()->fixed_cow_array_map()));
-  CHECK(map()->has_fast_object_elements() == HasFastObjectElements());
+
+  // TODO(hpayer): deal gracefully with partially constructed JSObjects, when
+  // allocation folding is turned off.
+  if (reinterpret_cast<Map*>(elements()) !=
+      GetHeap()->one_pointer_filler_map()) {
+    CHECK_EQ((map()->has_fast_smi_or_object_elements() ||
+              (elements() == GetHeap()->empty_fixed_array())),
+             (elements()->map() == GetHeap()->fixed_array_map() ||
+              elements()->map() == GetHeap()->fixed_cow_array_map()));
+    CHECK(map()->has_fast_object_elements() == HasFastObjectElements());
+  }
 }
 
 
@@ -677,9 +683,19 @@ void Code::VerifyEmbeddedMapsDependency() {
 void JSArray::JSArrayVerify() {
   JSObjectVerify();
   CHECK(length()->IsNumber() || length()->IsUndefined());
-  CHECK(elements()->IsUndefined() ||
-         elements()->IsFixedArray() ||
-         elements()->IsFixedDoubleArray());
+  // TODO(hpayer): deal gracefully with partially constructed JSObjects, when
+  // allocation folding is turned off.
+  if (reinterpret_cast<Map*>(elements()) !=
+      GetHeap()->one_pointer_filler_map()) {
+    CHECK(elements()->IsUndefined() ||
+          elements()->IsFixedArray() ||
+          elements()->IsFixedDoubleArray());
+    // TODO(mvstanton): to diagnose chromium bug 284577, remove after.
+    AllocationMemento* memento = AllocationMemento::FindForJSObject(this);
+    if (memento != NULL && memento->IsValid()) {
+      memento->AllocationMementoVerify();
+    }
+  }
 }
 
 
diff --git a/src/objects.cc b/src/objects.cc
index 4ca3d57..50868df 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -9052,6 +9052,8 @@ AllocationMemento* AllocationMemento::FindForJSObject(JSObject* object) {
   // involves carefully checking the object immediately after the JSArray
   // (if there is one) to see if it's an AllocationMemento.
   if (FLAG_track_allocation_sites && object->GetHeap()->InNewSpace(object)) {
+    // TODO(mvstanton): CHECK to diagnose chromium bug 284577, remove after.
+    CHECK(object->GetHeap()->InToSpace(object));
     Address ptr_end = (reinterpret_cast<Address>(object) - kHeapObjectTag) +
         object->Size();
     if ((ptr_end + AllocationMemento::kSize) <=
@@ -9061,8 +9063,14 @@ AllocationMemento* AllocationMemento::FindForJSObject(JSObject* object) {
           reinterpret_cast<Map**>(ptr_end);
       if (*possible_allocation_memento_map ==
           object->GetHeap()->allocation_memento_map()) {
+        Address ptr_object = reinterpret_cast<Address>(object);
+        // TODO(mvstanton): CHECK to diagnose chromium bug 284577, remove after.
+        // If this check fails it points to the very unlikely case that we've
+        // misinterpreted a page header as an allocation memento. Follow up
+        // with a real fix.
+        CHECK(Page::FromAddress(ptr_object) == Page::FromAddress(ptr_end));
         AllocationMemento* memento = AllocationMemento::cast(
-            reinterpret_cast<Object*>(ptr_end + 1));
+            reinterpret_cast<Object*>(ptr_end + kHeapObjectTag));
         return memento;
       }
     }