| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/objects.h" | 5 #include "src/objects.h" |
| 6 | 6 |
| 7 #include "src/bootstrapper.h" | 7 #include "src/bootstrapper.h" |
| 8 #include "src/disasm.h" | 8 #include "src/disasm.h" |
| 9 #include "src/disassembler.h" | 9 #include "src/disassembler.h" |
| 10 #include "src/field-type.h" | 10 #include "src/field-type.h" |
| (...skipping 767 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 778 if (!length()->IsNumber()) return; | 778 if (!length()->IsNumber()) return; |
| 779 // Verify that the length and the elements backing store are in sync. | 779 // Verify that the length and the elements backing store are in sync. |
| 780 if (length()->IsSmi() && HasFastElements()) { | 780 if (length()->IsSmi() && HasFastElements()) { |
| 781 int size = Smi::cast(length())->value(); | 781 int size = Smi::cast(length())->value(); |
| 782 // Holey / Packed backing stores might have slack or might have not been | 782 // Holey / Packed backing stores might have slack or might have not been |
| 783 // properly initialized yet. | 783 // properly initialized yet. |
| 784 CHECK(size <= elements()->length() || | 784 CHECK(size <= elements()->length() || |
| 785 elements() == isolate->heap()->empty_fixed_array()); | 785 elements() == isolate->heap()->empty_fixed_array()); |
| 786 } else { | 786 } else { |
| 787 CHECK(HasDictionaryElements()); | 787 CHECK(HasDictionaryElements()); |
| 788 uint32_t size; | 788 uint32_t array_length; |
| 789 CHECK(length()->ToArrayLength(&size)); | 789 CHECK(length()->ToArrayLength(&array_length)); |
| 790 if (size != 0) { | 790 if (array_length == 0xffffffff) { |
| 791 CHECK(length()->ToArrayLength(&array_length)); |
| 792 } |
| 793 if (array_length != 0) { |
| 791 SeededNumberDictionary* dict = SeededNumberDictionary::cast(elements()); | 794 SeededNumberDictionary* dict = SeededNumberDictionary::cast(elements()); |
| 792 // The dictionary can never have more elements than the array length. | 795 // The dictionary can never have more elements than the array length + 1. |
| 793 CHECK(static_cast<uint32_t>(dict->NumberOfElements()) <= size); | 796 // If the backing store grows the verification might be triggered with |
| 797 // the old length in place. |
| 798 uint32_t nof_elements = static_cast<uint32_t>(dict->NumberOfElements()); |
| 799 if (nof_elements != 0) nof_elements--; |
| 800 CHECK_LE(nof_elements, array_length); |
| 794 } | 801 } |
| 795 } | 802 } |
| 796 } | 803 } |
| 797 | 804 |
| 798 | 805 |
| 799 void JSSet::JSSetVerify() { | 806 void JSSet::JSSetVerify() { |
| 800 CHECK(IsJSSet()); | 807 CHECK(IsJSSet()); |
| 801 JSObjectVerify(); | 808 JSObjectVerify(); |
| 802 VerifyHeapPointer(table()); | 809 VerifyHeapPointer(table()); |
| 803 CHECK(table()->IsOrderedHashTable() || table()->IsUndefined(GetIsolate())); | 810 CHECK(table()->IsOrderedHashTable() || table()->IsUndefined(GetIsolate())); |
| (...skipping 696 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1500 | 1507 |
| 1501 // Both are done at the same time. | 1508 // Both are done at the same time. |
| 1502 CHECK_EQ(new_it.done(), old_it.done()); | 1509 CHECK_EQ(new_it.done(), old_it.done()); |
| 1503 } | 1510 } |
| 1504 | 1511 |
| 1505 | 1512 |
| 1506 #endif // DEBUG | 1513 #endif // DEBUG |
| 1507 | 1514 |
| 1508 } // namespace internal | 1515 } // namespace internal |
| 1509 } // namespace v8 | 1516 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2501303002:
[heap-verify] Allow for temporary invalid array length for slow elements (Closed)
