From: hpayer@chromium.org <hpayer@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Tue, 19 Aug 2014 08:35:39 +0000 (+0000)
Subject: Do not install fillers when right trimming large objects.
X-Git-Tag: upstream/4.7.83~7566
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=91599ffc6c794a88d0b85ee382e72a76a32e5bff;p=platform%2Fupstream%2Fv8.git

Do not install fillers when right trimming large objects.

BUG=
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/487703002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23183 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index fd08c82..5d3bde4 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3321,7 +3321,6 @@ void Heap::RightTrimFixedArray(FixedArrayBase* object, int elements_to_trim) {
   const int bytes_to_trim = elements_to_trim * element_size;
 
   // For now this trick is only applied to objects in new and paged space.
-  DCHECK(!lo_space()->Contains(object));
   DCHECK(object->map() != fixed_cow_array_map());
 
   const int len = object->length();
@@ -3333,7 +3332,12 @@ void Heap::RightTrimFixedArray(FixedArrayBase* object, int elements_to_trim) {
   // Technically in new space this write might be omitted (except for
   // debug mode which iterates through the heap), but to play safer
   // we still do it.
-  CreateFillerObjectAt(new_end, bytes_to_trim);
+  // We do not create a filler for objects in large object space.
+  // TODO(hpayer): We should shrink the large object page if the size
+  // of the object changed significantly.
+  if (!lo_space()->Contains(object)) {
+    CreateFillerObjectAt(new_end, bytes_to_trim);
+  }
 
   // Initialize header of the trimmed array. We are storing the new length
   // using release store after creating a filler for the left-over space to
diff --git a/test/mjsunit/regress/regress-404981.js b/test/mjsunit/regress/regress-404981.js
new file mode 100644
index 0000000..5508d6f
--- /dev/null
+++ b/test/mjsunit/regress/regress-404981.js
@@ -0,0 +1,6 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var large_object = new Array(5000001);
+large_object.length = 23;