| Ben Murdoch | b8a8cc1 | 2014-11-26 15:28:44 +0000 | [diff] [blame^] | 1 | // Copyright 2014 the V8 project authors. All rights reserved. |
| 2 | // Redistribution and use in source and binary forms, with or without |
| 3 | // modification, are permitted provided that the following conditions are |
| 4 | // met: |
| 5 | // |
| 6 | // * Redistributions of source code must retain the above copyright |
| 7 | // notice, this list of conditions and the following disclaimer. |
| 8 | // * Redistributions in binary form must reproduce the above |
| 9 | // copyright notice, this list of conditions and the following |
| 10 | // disclaimer in the documentation and/or other materials provided |
| 11 | // with the distribution. |
| 12 | // * Neither the name of Google Inc. nor the names of its |
| 13 | // contributors may be used to endorse or promote products derived |
| 14 | // from this software without specific prior written permission. |
| 15 | // |
| 16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 17 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 18 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 19 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 20 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 21 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 22 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 23 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 25 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 26 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | |
| 28 | #include "test/cctest/cctest.h" |
| 29 | |
| 30 | using namespace v8::internal; |
| 31 | |
| 32 | |
| 33 | static void SetUpNewSpaceWithPoisonedMementoAtTop() { |
| 34 | Isolate* isolate = CcTest::i_isolate(); |
| 35 | Heap* heap = isolate->heap(); |
| 36 | NewSpace* new_space = heap->new_space(); |
| 37 | |
| 38 | // Make sure we can allocate some objects without causing a GC later. |
| 39 | heap->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask); |
| 40 | |
| 41 | // Allocate a string, the GC may suspect a memento behind the string. |
| 42 | Handle<SeqOneByteString> string = |
| 43 | isolate->factory()->NewRawOneByteString(12).ToHandleChecked(); |
| 44 | CHECK(*string); |
| 45 | |
| 46 | // Create an allocation memento behind the string with a garbage allocation |
| 47 | // site pointer. |
| 48 | AllocationMemento* memento = |
| 49 | reinterpret_cast<AllocationMemento*>(new_space->top() + kHeapObjectTag); |
| 50 | memento->set_map_no_write_barrier(heap->allocation_memento_map()); |
| 51 | memento->set_allocation_site( |
| 52 | reinterpret_cast<AllocationSite*>(kHeapObjectTag), SKIP_WRITE_BARRIER); |
| 53 | } |
| 54 | |
| 55 | |
| 56 | TEST(Regress340063) { |
| 57 | CcTest::InitializeVM(); |
| 58 | if (!i::FLAG_allocation_site_pretenuring) return; |
| 59 | v8::HandleScope scope(CcTest::isolate()); |
| 60 | |
| 61 | |
| 62 | SetUpNewSpaceWithPoisonedMementoAtTop(); |
| 63 | |
| 64 | // Call GC to see if we can handle a poisonous memento right after the |
| 65 | // current new space top pointer. |
| 66 | CcTest::i_isolate()->heap()->CollectAllGarbage( |
| 67 | Heap::kAbortIncrementalMarkingMask); |
| 68 | } |
| 69 | |
| 70 | |
| 71 | TEST(BadMementoAfterTopForceScavenge) { |
| 72 | CcTest::InitializeVM(); |
| 73 | if (!i::FLAG_allocation_site_pretenuring) return; |
| 74 | v8::HandleScope scope(CcTest::isolate()); |
| 75 | |
| 76 | SetUpNewSpaceWithPoisonedMementoAtTop(); |
| 77 | |
| 78 | // Force GC to test the poisoned memento handling |
| 79 | CcTest::i_isolate()->heap()->CollectGarbage(i::NEW_SPACE); |
| 80 | } |
| 81 | |
| 82 | |
| 83 | TEST(PretenuringCallNew) { |
| 84 | CcTest::InitializeVM(); |
| 85 | if (!i::FLAG_allocation_site_pretenuring) return; |
| 86 | if (!i::FLAG_pretenuring_call_new) return; |
| 87 | |
| 88 | v8::HandleScope scope(CcTest::isolate()); |
| 89 | Isolate* isolate = CcTest::i_isolate(); |
| 90 | Heap* heap = isolate->heap(); |
| 91 | |
| 92 | int call_count = 10; |
| 93 | i::ScopedVector<char> test_buf(1024); |
| 94 | const char* program = |
| 95 | "function f() {" |
| 96 | " this.a = 3;" |
| 97 | " this.b = {};" |
| 98 | " return this;" |
| 99 | "};" |
| 100 | "var a;" |
| 101 | "for(var i = 0; i < %d; i++) {" |
| 102 | " a = new f();" |
| 103 | "}" |
| 104 | "a;"; |
| 105 | i::SNPrintF(test_buf, program, call_count); |
| 106 | v8::Local<v8::Value> res = CompileRun(test_buf.start()); |
| 107 | Handle<JSObject> o = |
| 108 | v8::Utils::OpenHandle(*v8::Handle<v8::Object>::Cast(res)); |
| 109 | |
| 110 | // The object of class f should have a memento secreted behind it. |
| 111 | Address memento_address = o->address() + o->map()->instance_size(); |
| 112 | AllocationMemento* memento = |
| 113 | reinterpret_cast<AllocationMemento*>(memento_address + kHeapObjectTag); |
| 114 | CHECK_EQ(memento->map(), heap->allocation_memento_map()); |
| 115 | |
| 116 | // Furthermore, how many mementos did we create? The count should match |
| 117 | // call_count. Note, that mementos are allocated during the inobject slack |
| 118 | // tracking phase. |
| 119 | AllocationSite* site = memento->GetAllocationSite(); |
| 120 | CHECK_EQ(call_count, site->pretenure_create_count()->value()); |
| 121 | } |