Fix pointer iteration for maps.

test/cctest/test-heap.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 4457 matching lines @@
   marking->Abort();
   marking->Start();
   CHECK(marking->IsMarking());
 
   // Now everything is set up for crashing in JSObject::MigrateFastToFast()
   // when it calls heap->AdjustLiveBytes(...).
   JSObject::MigrateToMap(o, map2);
 }
 
 
+TEST(RegressStoreBufferMapUpdate) {
+  CcTest::InitializeVM();
+  v8::HandleScope scope(CcTest::isolate());
+  Isolate* isolate = CcTest::i_isolate();
+  Factory* factory = isolate->factory();
+  Heap* heap = isolate->heap();
+
+  // This test checks that we do not treat instance size field of the map
+  // as a heap pointer when processing the store buffer.
+
+  Handle<Map> map1 = Map::Create(isolate->object_function(), 1);
+
+  // Allocate a throw-away object.
+  factory->NewFixedArray(1, NOT_TENURED);
+
+  // Allocate a new-space object that will be moved by the GC (because
+  // the throw-away object will die).
+  Handle<FixedArray> object_to_move = factory->NewFixedArray(1, NOT_TENURED);
+
+  // Record the address before the GC.
+  Object* object_to_move_address = *object_to_move;
+
+  // Smash the new space pointer to the moving object into the instance size
+  // field of the map. The idea is to trick the GC into updating this pointer
+  // when the object moves. This would be wrong because instance size should
+  // not be treated as a heap pointer.
+  *(reinterpret_cast<Object**>(map1->address() + Map::kInstanceSizeOffset)) =
+      object_to_move_address;
+
+  // Make sure we scan the map's page on scavenge.
+  Page* page = Page::FromAddress(map1->address());
+  page->set_scan_on_scavenge(true);
+
+  heap->CollectGarbage(NEW_SPACE);
+
+  // Check the object has really moved.
+  CHECK(*object_to_move != object_to_move_address);
+
+  // Now check that we have not updated the instance size field of the map.
+  CHECK_EQ(object_to_move_address,
+           *(reinterpret_cast<Object**>(map1->address() +
+                                        Map::kInstanceSizeOffset)));
+}
+
+
 #ifdef DEBUG
 TEST(PathTracer) {
   CcTest::InitializeVM();
   v8::HandleScope scope(CcTest::isolate());
 
   v8::Local<v8::Value> result = CompileRun("'abc'");
   Handle<Object> o = v8::Utils::OpenHandle(*result);
   CcTest::i_isolate()->heap()->TracePathToObject(*o);
 }
 #endif  // DEBUG