Chromium Code Reviews Chromium Code Reviews
Issue 11896064:
Fix corner case when JSFunction is evicted from flusher. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge| OLD | NEW |
|---|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 | 2 |
| 3 #include <stdlib.h> | 3 #include <stdlib.h> |
| 4 | 4 |
| 5 #include "v8.h" | 5 #include "v8.h" |
| 6 | 6 |
| 7 #include "compilation-cache.h" | 7 #include "compilation-cache.h" |
| 8 #include "execution.h" | 8 #include "execution.h" |
| 9 #include "factory.h" | 9 #include "factory.h" |
| 10 #include "macro-assembler.h" | 10 #include "macro-assembler.h" |
| (...skipping 2760 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2771 | 2771 |
| 2772 // Give the array a name, making sure not to allocate strings. | 2772 // Give the array a name, making sure not to allocate strings. |
| 2773 v8::Handle<v8::Object> array_obj = v8::Utils::ToLocal(array); | 2773 v8::Handle<v8::Object> array_obj = v8::Utils::ToLocal(array); |
| 2774 v8::Context::GetCurrent()->Global()->Set(array_name, array_obj); | 2774 v8::Context::GetCurrent()->Global()->Set(array_name, array_obj); |
| 2775 | 2775 |
| 2776 // This should crash with a protection violation if we are running a build | 2776 // This should crash with a protection violation if we are running a build |
| 2777 // with the bug. | 2777 // with the bug. |
| 2778 AlwaysAllocateScope aa_scope; | 2778 AlwaysAllocateScope aa_scope; |
| 2779 v8::Script::Compile(mote_code_string)->Run(); | 2779 v8::Script::Compile(mote_code_string)->Run(); |
| 2780 } | 2780 } |
| 2781 | |
| 2782 | |
| 2783 TEST(Regress168801) { | |
| 2784 i::FLAG_always_compact = true; | |
| 2785 i::FLAG_cache_optimized_code = false; | |
| 2786 i::FLAG_allow_natives_syntax = true; | |
| 2787 i::FLAG_flush_code_incrementally = true; | |
| 2788 InitializeVM(); | |
| 2789 v8::HandleScope scope; | |
| 2790 | |
| 2791 // Perform one initial GC to enable code flushing. | |
| 2792 HEAP->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask); | |
| 2793 | |
| 2794 // Ensure the code ends up on an evacuation candidate. | |
| 2795 SimulateFullSpace(HEAP->code_space()); | |
| 2796 CompileRun("var x = 0;"); | |
|
Hannes Payer (out of office)
2013/01/23 16:03:41
CompileRun needed?
Michael Starzinger
2013/01/23 16:16:03
Done.
| |
| 2797 | |
| 2798 // Prepare an unoptimized function that is eligible for code flushing. | |
| 2799 Handle<JSFunction> function; | |
| 2800 { | |
| 2801 HandleScope inner_scope; | |
| 2802 CompileRun("function mkClosure() {" | |
| 2803 " return function(x) { return x + 1; };" | |
| 2804 "}" | |
| 2805 "var f = mkClosure();" | |
| 2806 "f(1); f(2);"); | |
| 2807 | |
| 2808 Handle<JSFunction> f = | |
| 2809 v8::Utils::OpenHandle( | |
| 2810 *v8::Handle<v8::Function>::Cast( | |
| 2811 v8::Context::GetCurrent()->Global()->Get(v8_str("f")))); | |
| 2812 CHECK(f->is_compiled()); | |
| 2813 const int kAgingThreshold = 6; | |
| 2814 for (int i = 0; i < kAgingThreshold; i++) { | |
| 2815 f->shared()->code()->MakeOlder(static_cast<MarkingParity>(i % 2)); | |
| 2816 } | |
| 2817 | |
| 2818 function = inner_scope.CloseAndEscape(handle(*f, ISOLATE)); | |
| 2819 } | |
| 2820 | |
| 2821 // Simulate incremental marking so that unoptimized function is enqueued as a | |
| 2822 // candidate for code flushing. The shared function info however will not be | |
| 2823 // explicitly enqueued. | |
| 2824 SimulateIncrementalMarking(); | |
| 2825 | |
| 2826 // Now optimize the function so that it is taken off the candidate list. | |
| 2827 { | |
| 2828 HandleScope inner_scope; | |
| 2829 CompileRun("%OptimizeFunctionOnNextCall(f); f(3);"); | |
| 2830 } | |
| 2831 | |
| 2832 // This cycle will bust the heap and subsequent cycles will go ballistic. | |
| 2833 HEAP->CollectAllGarbage(Heap::kNoGCFlags); | |
| 2834 HEAP->CollectAllGarbage(Heap::kNoGCFlags); | |
| 2835 } | |
| OLD | NEW |
