src/heap/heap.cc - Issue 1481493003: Fix JSFunction's in-object properties initialization.

Side by Side Diff: src/heap/heap.cc

Issue 1481493003: Fix JSFunction's in-object properties initialization. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Created 5 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2012 the V8 project authors. All rights reserved.	1 // Copyright 2012 the V8 project authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "src/heap/heap.h"	5 #include "src/heap/heap.h"

6	6

7 #include "src/accessors.h"	7 #include "src/accessors.h"

8 #include "src/api.h"	8 #include "src/api.h"

9 #include "src/base/bits.h"	9 #include "src/base/bits.h"

10 #include "src/base/once.h"	10 #include "src/base/once.h"

(...skipping 3414 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3425 Map* map) {	3425 Map* map) {

3426 obj->set_properties(properties);	3426 obj->set_properties(properties);

3427 obj->initialize_elements();	3427 obj->initialize_elements();

3428 // TODO(1240798): Initialize the object's body using valid initial values	3428 // TODO(1240798): Initialize the object's body using valid initial values

3429 // according to the object's initial map. For example, if the map's	3429 // according to the object's initial map. For example, if the map's

3430 // instance type is JS_ARRAY_TYPE, the length field should be initialized	3430 // instance type is JS_ARRAY_TYPE, the length field should be initialized

3431 // to a number (e.g. Smi::FromInt(0)) and the elements initialized to a	3431 // to a number (e.g. Smi::FromInt(0)) and the elements initialized to a

3432 // fixed array (e.g. Heap::empty_fixed_array()). Currently, the object	3432 // fixed array (e.g. Heap::empty_fixed_array()). Currently, the object

3433 // verification code has to cope with (temporarily) invalid objects. See	3433 // verification code has to cope with (temporarily) invalid objects. See

3434 // for example, JSArray::JSArrayVerify).	3434 // for example, JSArray::JSArrayVerify).

	3435 InitializeJSObjectBody(obj, map, JSObject::kHeaderSize);

	3436 }

	3437

	3438

	3439 void Heap::InitializeJSObjectBody(JSObject* obj, Map* map, int start_offset) {

	3440 if (start_offset >= map->instance_size()) return;
	ulan 2015/11/25 11:11:51 As discussed offline, please check for == explicit As discussed offline, please check for == explicitly and DCHECK that offset doesn't exceed the size. Igor Sheludko 2015/11/25 11:25:40 Done. Show quoted text On 2015/11/25 11:11:51, ulan wrote: > As discussed offline, please check for == explicitly and DCHECK that offset > doesn't exceed the size. Done.
3435 Object* filler;	3441 Object* filler;

3436 // We cannot always fill with one_pointer_filler_map because objects	3442 // We cannot always fill with one_pointer_filler_map because objects

3437 // created from API functions expect their internal fields to be initialized	3443 // created from API functions expect their internal fields to be initialized

3438 // with undefined_value.	3444 // with undefined_value.

3439 // Pre-allocated fields need to be initialized with undefined_value as well	3445 // Pre-allocated fields need to be initialized with undefined_value as well

3440 // so that object accesses before the constructor completes (e.g. in the	3446 // so that object accesses before the constructor completes (e.g. in the

3441 // debugger) will not cause a crash.	3447 // debugger) will not cause a crash.

3442 Object* constructor = map->GetConstructor();	3448 Object* constructor = map->GetConstructor();

3443 if (constructor->IsJSFunction() &&	3449 if (constructor->IsJSFunction() &&

3444 JSFunction::cast(constructor)->IsInobjectSlackTrackingInProgress()) {	3450 JSFunction::cast(constructor)->IsInobjectSlackTrackingInProgress()) {

3445 // We might want to shrink the object later.	3451 // We might want to shrink the object later.

3446 DCHECK_EQ(0, obj->GetInternalFieldCount());	3452 DCHECK_EQ(0, obj->GetInternalFieldCount());

3447 filler = Heap::one_pointer_filler_map();	3453 filler = Heap::one_pointer_filler_map();

3448 } else {	3454 } else {

3449 filler = Heap::undefined_value();	3455 filler = Heap::undefined_value();

3450 }	3456 }

3451 obj->InitializeBody(map, Heap::undefined_value(), filler);	3457 obj->InitializeBody(map, start_offset, Heap::undefined_value(), filler);

3452 }	3458 }

3453	3459

3454	3460

3455 AllocationResult Heap::AllocateJSObjectFromMap(	3461 AllocationResult Heap::AllocateJSObjectFromMap(

3456 Map* map, PretenureFlag pretenure, AllocationSite* allocation_site) {	3462 Map* map, PretenureFlag pretenure, AllocationSite* allocation_site) {

3457 // JSFunctions should be allocated using AllocateFunction to be	3463 // JSFunctions should be allocated using AllocateFunction to be

3458 // properly initialized.	3464 // properly initialized.

3459 DCHECK(map->instance_type() != JS_FUNCTION_TYPE);	3465 DCHECK(map->instance_type() != JS_FUNCTION_TYPE);

3460	3466

3461 // Both types of global objects should be allocated using	3467 // Both types of global objects should be allocated using

(...skipping 2700 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
6162 }	6168 }

6163	6169

6164	6170

6165 // static	6171 // static

6166 int Heap::GetStaticVisitorIdForMap(Map* map) {	6172 int Heap::GetStaticVisitorIdForMap(Map* map) {

6167 return StaticVisitorBase::GetVisitorId(map);	6173 return StaticVisitorBase::GetVisitorId(map);

6168 }	6174 }

6169	6175

6170 } // namespace internal	6176 } // namespace internal

6171 } // namespace v8	6177 } // namespace v8

OLD	NEW

« no previous file with comments | « src/heap/heap.h ('k') | src/objects.h » ('j') | no next file with comments »