From 18a10e3482d20920ab0ade94ecc569f050c24140 Mon Sep 17 00:00:00 2001
From: "jarin@chromium.org"
 <jarin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 14 Aug 2014 07:41:33 +0000
Subject: [PATCH] Fix pointer iteration for maps.

BUG=
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/475463003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23114 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/heap/store-buffer.cc |  7 ++++---
 test/cctest/test-heap.cc | 45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/src/heap/store-buffer.cc b/src/heap/store-buffer.cc
index b48e1a4..48e98a3 100644
--- a/src/heap/store-buffer.cc
+++ b/src/heap/store-buffer.cc
@@ -486,10 +486,11 @@ void StoreBuffer::IteratePointersToNewSpace(ObjectSlotCallback slot_callback,
                  heap_object = iterator.Next()) {
               // We skip free space objects.
               if (!heap_object->IsFiller()) {
+                DCHECK(heap_object->IsMap());
                 FindPointersToNewSpaceInRegion(
-                    heap_object->address() + HeapObject::kHeaderSize,
-                    heap_object->address() + heap_object->Size(), slot_callback,
-                    clear_maps);
+                    heap_object->address() + Map::kPointerFieldsBeginOffset,
+                    heap_object->address() + Map::kPointerFieldsEndOffset,
+                    slot_callback, clear_maps);
               }
             }
           } else {
diff --git a/test/cctest/test-heap.cc b/test/cctest/test-heap.cc
index ab000dc..601e9eb 100644
--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -4475,6 +4475,51 @@ TEST(Regress388880) {
 }
 
 
+TEST(RegressStoreBufferMapUpdate) {
+  CcTest::InitializeVM();
+  v8::HandleScope scope(CcTest::isolate());
+  Isolate* isolate = CcTest::i_isolate();
+  Factory* factory = isolate->factory();
+  Heap* heap = isolate->heap();
+
+  // This test checks that we do not treat instance size field of the map
+  // as a heap pointer when processing the store buffer.
+
+  Handle<Map> map1 = Map::Create(isolate->object_function(), 1);
+
+  // Allocate a throw-away object.
+  factory->NewFixedArray(1, NOT_TENURED);
+
+  // Allocate a new-space object that will be moved by the GC (because
+  // the throw-away object will die).
+  Handle<FixedArray> object_to_move = factory->NewFixedArray(1, NOT_TENURED);
+
+  // Record the address before the GC.
+  Object* object_to_move_address = *object_to_move;
+
+  // Smash the new space pointer to the moving object into the instance size
+  // field of the map. The idea is to trick the GC into updating this pointer
+  // when the object moves. This would be wrong because instance size should
+  // not be treated as a heap pointer.
+  *(reinterpret_cast<Object**>(map1->address() + Map::kInstanceSizeOffset)) =
+      object_to_move_address;
+
+  // Make sure we scan the map's page on scavenge.
+  Page* page = Page::FromAddress(map1->address());
+  page->set_scan_on_scavenge(true);
+
+  heap->CollectGarbage(NEW_SPACE);
+
+  // Check the object has really moved.
+  CHECK(*object_to_move != object_to_move_address);
+
+  // Now check that we have not updated the instance size field of the map.
+  CHECK_EQ(object_to_move_address,
+           *(reinterpret_cast<Object**>(map1->address() +
+                                        Map::kInstanceSizeOffset)));
+}
+
+
 #ifdef DEBUG
 TEST(PathTracer) {
   CcTest::InitializeVM();
-- 
2.7.4