Added a test which installs a poisonous memento right after the new space top pointer.

test/cctest/test-mementos.cc

Index: test/cctest/test-mementos.cc
diff --git a/test/cctest/test-ast.cc b/test/cctest/test-mementos.cc
similarity index 58%
copy from test/cctest/test-ast.cc
copy to test/cctest/test-mementos.cc
index d6431371aa1b4e1d609c4af18e36bd86552a58a0..e1b14705f7532bc3b1df54d49e478ee759bf361a 100644
--- a/test/cctest/test-ast.cc
+++ b/test/cctest/test-mementos.cc
@@ -1,4 +1,4 @@
-// Copyright 2012 the V8 project authors. All rights reserved.
+// Copyright 2014 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -25,36 +25,37 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-#include <stdlib.h>
-
-#include "v8.h"
-
-#include "ast.h"
 #include "cctest.h"
 
 using namespace v8::internal;
 
-TEST(List) {
-  v8::internal::V8::Initialize(NULL);
-  List<AstNode*>* list = new List<AstNode*>(0);
-  CHECK_EQ(0, list->length());
+TEST(Regress340063) {
+  CcTest::InitializeVM();
+  if (!i::FLAG_allocation_site_pretenuring) return;
+  v8::HandleScope scope(CcTest::isolate());
 
   Isolate* isolate = CcTest::i_isolate();
-  Zone zone(isolate);
-  AstNodeFactory<AstNullVisitor> factory(&zone);
-  AstNode* node = factory.NewEmptyStatement(RelocInfo::kNoPosition);
-  list->Add(node);
-  CHECK_EQ(1, list->length());
-  CHECK_EQ(node, list->at(0));
-  CHECK_EQ(node, list->last());
-
-  const int kElements = 100;
-  for (int i = 0; i < kElements; i++) {
-    list->Add(node);
-  }
-  CHECK_EQ(1 + kElements, list->length());
-
-  list->Clear();
-  CHECK_EQ(0, list->length());
-  delete list;
+  Heap* heap = isolate->heap();
+  NewSpace* new_space = heap->new_space();
+
+  // Make sure we can allocate some objects without causing a GC later.
+  heap->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask);
+
+  // Allocate a literal, there will be a memento after this literal.
+  CompileRun("var a = [];");

[Benedikt Meurer, 2014/02/04 08:27:44]

This is rather fragile. Why not simply call the Heap method to allocate a
JSArray and manually stick an AllocationMemento after the new top pointer?

[mvstanton, 2014/02/04 09:01:11]

But since mementos are a part of the code now (there is no longer a flag to
control this), I'd say go ahead and trust that a memento will be emitted. You
could assert that the word after the JSArray is the memento map. 

[Hannes Payer (out of office), 2014/02/04 11:59:32]

We can do that as well.

+
+  // Set the top pointer after the allocated literal, right before
+  // the allocated memento.
+  Address top = new_space->top() - AllocationMemento::kSize;
+  new_space->set_top(top);
+
+  // Overwrite the allocation site pointer in the memento with garbage.
+  AllocationMemento* memento =
+      reinterpret_cast<AllocationMemento*>(top + kHeapObjectTag);
+  memento->set_allocation_site(
+      reinterpret_cast<AllocationSite*>(kHeapObjectTag), SKIP_WRITE_BARRIER);
+
+  // Call GC to see if we can handle a poisonous memento right after the
+  // current new space top pointer.
+  heap->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask);

[mvstanton, 2014/02/04 09:01:11]

Have you verified that crash would happen here?

[Hannes Payer (out of office), 2014/02/04 11:59:32]

Yes, it would crash without the fix.

 }