test/cctest/test-unboxed-doubles.cc - Issue 765473004: Fast-to-slow migration should wipe out in-object space if it exists in the object after migration.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: test/cctest/test-unboxed-doubles.cc

Issue 765473004: Fast-to-slow migration should wipe out in-object space if it exists in the object after migration. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: Addressed comments Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: test/cctest/test-unboxed-doubles.cc

diff --git a/test/cctest/test-unboxed-doubles.cc b/test/cctest/test-unboxed-doubles.cc

index db1aaaf5c6744fda11d1a1ed7e5cb8622988dcc1..8b2c47357fe81d973d5d65444fe80db0f7585c2c 100644

--- a/test/cctest/test-unboxed-doubles.cc

+++ b/test/cctest/test-unboxed-doubles.cc

@@ -603,6 +603,51 @@ TEST(LayoutDescriptorAppendIfFastOrUseFullAllDoubles) {

}

+TEST(Regress436816) {

+ CcTest::InitializeVM();

+ Isolate* isolate = CcTest::i_isolate();

+ Factory* factory = isolate->factory();

+ v8::HandleScope scope(CcTest::isolate());

+ const int kPropsCount = kSmiValueSize * 3;

+ PropertyKind props[kPropsCount];

+ for (int i = 0; i < kPropsCount; i++) {

+ props[i] = PROP_DOUBLE;

+ }

+ Handle<DescriptorArray> descriptors =

+ CreateDescriptorArray(isolate, props, kPropsCount);

+ Handle<Map> map = Map::Create(isolate, kPropsCount);

+ Handle<LayoutDescriptor> layout_descriptor =

+ LayoutDescriptor::New(map, descriptors, kPropsCount);

+ map->InitializeDescriptors(*descriptors, *layout_descriptor);

+ Handle<JSObject> object = factory->NewJSObjectFromMap(map, TENURED);

+ Address fake_address = reinterpret_cast<Address>(~kHeapObjectTagMask);

+ HeapObject* fake_object = HeapObject::FromAddress(fake_address);

+ CHECK(fake_object->IsHeapObject());

+ double boom_value = bit_cast<double>(fake_object);

+ for (int i = 0; i < kPropsCount; i++) {

+ FieldIndex index = FieldIndex::ForDescriptor(*map, i);

+ CHECK(map->IsUnboxedDoubleField(index));

+ object->RawFastDoublePropertyAtPut(index, boom_value);

+ }

+ CHECK(object->HasFastProperties());

+ CHECK(!object->map()->HasFastPointerLayout());

+ Handle<Map> normalized_map =

+ Map::Normalize(map, KEEP_INOBJECT_PROPERTIES, "testing");

+ JSObject::MigrateToMap(object, normalized_map);

+ CHECK(!object->HasFastProperties());

+ CHECK(object->map()->HasFastPointerLayout());

+ // Trigger GCs and heap verification.

+ CcTest::heap()->CollectAllGarbage(i::Heap::kNoGCFlags);

TEST(StoreBufferScanOnScavenge) {

CcTest::InitializeVM();

Isolate* isolate = CcTest::i_isolate();

« no previous file with comments | « src/objects-inl.h ('k') | no next file » | no next file with comments »