Avoid issuing write barriers for unboxed double fields in Heap::CopyJSObject().

test/cctest/test-unboxed-doubles.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stdlib.h>
 #include <utility>
 
 #include "src/v8.h"
 
 #include "src/compilation-cache.h"
@@ skipping 1205 matching lines @@
   // Enforce scan on scavenge for the obj's page.
   MemoryChunk* chunk = MemoryChunk::FromAddress(obj->address());
   chunk->set_scan_on_scavenge(true);
 
   // Trigger GCs and force evacuation. Should not crash there.
   CcTest::heap()->CollectAllGarbage(i::Heap::kNoGCFlags);
 
   CHECK_EQ(boom_value, GetDoubleFieldValue(*obj, field_index));
 }
 
+
+static int LenFromSize(int size) {
+  return (size - FixedArray::kHeaderSize) / kPointerSize;
+}
+
+
+TEST(WriteBarriersInCopyJSObject) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  TestHeap* heap = CcTest::test_heap();
+
+  // Increase the chance of 'bump-the-pointer' allocation in old space.

[Hannes Payer (out of office), 2015/02/02 21:00:54]

I do not get this line. Why does that increase the chance of bump-pointer
allocation?

[Igor Sheludko, 2015/02/03 09:14:21]

Sorry, that was a copy/paste. Done.

+  heap->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask);
+
+  v8::HandleScope scope(CcTest::isolate());
+
+  // The plan: create JSObject which contains unboxed double value that looks
+  // like a reference to an object in new space.
+  // Then clone this object (forcing it to go into old space) and check
+  // that the value of the unboxed double property of the cloned object has
+  // was not corrupted by GC.
+
+  // Step 1: prepare a map for the object. We add unboxed double property to it.
+  // Create a map with single inobject property.
+  Handle<Map> my_map = Map::Create(isolate, 1);
+  Handle<String> name = isolate->factory()->InternalizeUtf8String("foo");
+  my_map = Map::CopyWithField(my_map, name, HeapType::Any(isolate), NONE,
+                              Representation::Double(),
+                              INSERT_TRANSITION).ToHandleChecked();
+  my_map->set_pre_allocated_property_fields(1);
+  int n_properties = my_map->InitialPropertiesLength();
+  CHECK_GE(n_properties, 0);
+
+  int object_size = my_map->instance_size();
+
+  // Step 2: allocate a lot of objects so to almost fill new space: we need
+  // just enough room to allocate JSObject and thus fill the newspace.
+
+  int allocation_amount =
+      Min(FixedArray::kMaxSize, Page::kMaxRegularHeapObjectSize + kPointerSize);
+  int allocation_len = LenFromSize(allocation_amount);
+  NewSpace* new_space = heap->new_space();
+  Address* top_addr = new_space->allocation_top_address();
+  Address* limit_addr = new_space->allocation_limit_address();
+  while ((*limit_addr - *top_addr) > allocation_amount) {

[Hannes Payer (out of office), 2015/02/02 21:00:54]

Just create a filler here, that's easier. Moreover, we should make sure that new
space is not growing. Just set the max_semi_space_size=1.

[Igor Sheludko, 2015/02/03 09:14:21]

Thanks for the max_semi_space_size suggestion! 
Unfortunately Heap::AllocateFillerObject() is a private method and I'm not sure
if we should change that, so I'll keep allocating arrays here.

+    CHECK(!heap->always_allocate());
+    Object* array = heap->AllocateFixedArray(allocation_len).ToObjectChecked();
+    CHECK(new_space->Contains(array));
+  }
+
+  // Step 3: now allocate fixed array and JSObject to fill the whole new space.
+  int to_fill = static_cast<int>(*limit_addr - *top_addr - object_size);
+  int fixed_array_len = LenFromSize(to_fill);
+  CHECK(fixed_array_len < FixedArray::kMaxLength);
+
+  CHECK(!heap->always_allocate());
+  Object* array = heap->AllocateFixedArray(fixed_array_len).ToObjectChecked();
+  CHECK(new_space->Contains(array));
+
+  Object* object = heap->AllocateJSObjectFromMap(*my_map).ToObjectChecked();
+  CHECK(new_space->Contains(object));
+  JSObject* jsobject = JSObject::cast(object);
+  CHECK_EQ(0, FixedArray::cast(jsobject->elements())->length());
+  CHECK_EQ(0, jsobject->properties()->length());
+
+  // Construct a double value that looks like a pointer to the new space object
+  // and store it into the obj.
+  Address fake_object = reinterpret_cast<Address>(array) + kPointerSize;
+  double boom_value = bit_cast<double>(fake_object);
+  FieldIndex index = FieldIndex::ForDescriptor(*my_map, 0);
+  jsobject->RawFastDoublePropertyAtPut(index, boom_value);
+
+  CHECK_EQ(0, static_cast<int>(*limit_addr - *top_addr));
+
+  // Step 4: clone jsobject, but force always allocate first to create a clone
+  // in old pointer space.
+  AlwaysAllocateScope aa_scope(isolate);
+  Object* clone_obj = heap->CopyJSObject(jsobject).ToObjectChecked();
+  Handle<JSObject> clone(JSObject::cast(clone_obj));
+  CHECK(heap->old_pointer_space()->Contains(clone->address()));
+
+  CcTest::heap()->CollectGarbage(NEW_SPACE, "boom");
+
+  // The value in cloned object should not be corrupted by GC.
+  CHECK_EQ(boom_value, clone->RawFastDoublePropertyAt(index));
+}
+
 #endif