BASELINE: Update Chromium to 60.0.3112.70

Change-Id: I9911c2280a014d4632f254857876a395d4baed2d Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-07-17 13:57:45 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-07-19 13:44:40 +0000
commit: 6ec7b8da05d21a3878bd21c691b41e675d74bb1c (patch)
tree: b87f250bc19413750b9bb9cdbf2da20ef5014820 /chromium/v8/src/objects-debug.cc
parent: ec02ee4181c49b61fce1c8fb99292dbb8139cc90 (diff)
download: qtwebengine-chromium-6ec7b8da05d21a3878bd21c691b41e675d74bb1c.tar.gz
1 files changed, 88 insertions, 38 deletions
diff --git a/chromium/v8/src/objects-debug.cc b/chromium/v8/src/objects-debug.cc
index ce075bf237e..8bab9289d67 100644
--- a/chromium/v8/src/objects-debug.cc
+++ b/chromium/v8/src/objects-debug.cc
@@ -8,6 +8,7 @@
 #include "src/bootstrapper.h"
 #include "src/disasm.h"
 #include "src/disassembler.h"
+#include "src/elements.h"
 #include "src/field-type.h"
 #include "src/layout-descriptor.h"
 #include "src/macro-assembler.h"
@@ -105,12 +106,14 @@ void HeapObject::HeapObjectVerify() {
       break;
     case JS_OBJECT_TYPE:
     case JS_ERROR_TYPE:
-    case JS_ARGUMENTS_TYPE:
     case JS_API_OBJECT_TYPE:
     case JS_SPECIAL_API_OBJECT_TYPE:
     case JS_CONTEXT_EXTENSION_OBJECT_TYPE:
       JSObject::cast(this)->JSObjectVerify();
       break;
+    case JS_ARGUMENTS_TYPE:
+      JSArgumentsObject::cast(this)->JSArgumentsObjectVerify();
+      break;
     case JS_GENERATOR_OBJECT_TYPE:
       JSGeneratorObject::cast(this)->JSGeneratorObjectVerify();
       break;
@@ -162,6 +165,7 @@ void HeapObject::HeapObjectVerify() {
     case JS_MAP_ITERATOR_TYPE:
       JSMapIterator::cast(this)->JSMapIteratorVerify();
       break;
+
     case JS_TYPED_ARRAY_KEY_ITERATOR_TYPE:
     case JS_FAST_ARRAY_KEY_ITERATOR_TYPE:
     case JS_GENERIC_ARRAY_KEY_ITERATOR_TYPE:
@@ -326,22 +330,22 @@ void JSObject::JSObjectVerify() {
   VerifyHeapPointer(properties());
   VerifyHeapPointer(elements());
 
-  if (HasSloppyArgumentsElements()) {
-    CHECK(this->elements()->IsFixedArray());
-    CHECK_GE(this->elements()->length(), 2);
-  }
-
+  CHECK_IMPLIES(HasSloppyArgumentsElements(), IsJSArgumentsObject());
   if (HasFastProperties()) {
     int actual_unused_property_fields = map()->GetInObjectProperties() +
                                         properties()->length() -
                                         map()->NextFreePropertyIndex();
     if (map()->unused_property_fields() != actual_unused_property_fields) {
-      // This could actually happen in the middle of StoreTransitionStub
-      // when the new extended backing store is already set into the object and
-      // the allocation of the MutableHeapNumber triggers GC (in this case map
-      // is not updated yet).
-      CHECK_EQ(map()->unused_property_fields(),
-               actual_unused_property_fields - JSObject::kFieldsAdded);
+      // There are two reasons why this can happen:
+      // - in the middle of StoreTransitionStub when the new extended backing
+      //   store is already set into the object and the allocation of the
+      //   MutableHeapNumber triggers GC while the map isn't updated yet.
+      // - deletion of the last property can leave additional backing store
+      //   capacity behind.
+      CHECK_GT(actual_unused_property_fields, map()->unused_property_fields());
+      int delta =
+          actual_unused_property_fields - map()->unused_property_fields();
+      CHECK_EQ(0, delta % JSObject::kFieldsAdded);
     }
     DescriptorArray* descriptors = map()->instance_descriptors();
     Isolate* isolate = GetIsolate();
@@ -428,13 +432,6 @@ void Map::VerifyOmittedMapChecks() {
 }
 
 
-void TypeFeedbackInfo::TypeFeedbackInfoVerify() {
-  VerifyObjectField(kStorage1Offset);
-  VerifyObjectField(kStorage2Offset);
-  VerifyObjectField(kStorage3Offset);
-}
-
-
 void AliasedArgumentsEntry::AliasedArgumentsEntryVerify() {
   VerifySmiField(kAliasedContextSlot);
 }
@@ -474,6 +471,78 @@ void TransitionArray::TransitionArrayVerify() {
         next_link()->IsTransitionArray());
 }
 
+void JSArgumentsObject::JSArgumentsObjectVerify() {
+  if (IsSloppyArgumentsElementsKind(GetElementsKind())) {
+    JSSloppyArgumentsObject::cast(this)->JSSloppyArgumentsObjectVerify();
+  }
+  JSObjectVerify();
+}
+
+void JSSloppyArgumentsObject::JSSloppyArgumentsObjectVerify() {
+  Isolate* isolate = GetIsolate();
+  if (!map()->is_dictionary_map()) VerifyObjectField(kCalleeOffset);
+  if (isolate->IsInAnyContext(map(), Context::SLOPPY_ARGUMENTS_MAP_INDEX) ||
+      isolate->IsInAnyContext(map(),
+                              Context::SLOW_ALIASED_ARGUMENTS_MAP_INDEX) ||
+      isolate->IsInAnyContext(map(),
+                              Context::FAST_ALIASED_ARGUMENTS_MAP_INDEX)) {
+    VerifyObjectField(kLengthOffset);
+    VerifyObjectField(kCalleeOffset);
+  }
+  ElementsKind kind = GetElementsKind();
+  CHECK(IsSloppyArgumentsElementsKind(kind));
+  SloppyArgumentsElements::cast(elements())
+      ->SloppyArgumentsElementsVerify(this);
+}
+
+void SloppyArgumentsElements::SloppyArgumentsElementsVerify(
+    JSSloppyArgumentsObject* holder) {
+  Isolate* isolate = GetIsolate();
+  FixedArrayVerify();
+  // Abort verification if only partially initialized (can't use arguments()
+  // getter because it does FixedArray::cast()).
+  if (get(kArgumentsIndex)->IsUndefined(isolate)) return;
+
+  ElementsKind kind = holder->GetElementsKind();
+  bool is_fast = kind == FAST_SLOPPY_ARGUMENTS_ELEMENTS;
+  CHECK(IsFixedArray());
+  CHECK_GE(length(), 2);
+  CHECK_EQ(map(), isolate->heap()->sloppy_arguments_elements_map());
+  Context* context_object = Context::cast(context());
+  FixedArray* arg_elements = FixedArray::cast(arguments());
+  if (arg_elements->length() == 0) {
+    CHECK(arg_elements == isolate->heap()->empty_fixed_array());
+    return;
+  }
+  int nofMappedParameters =
+      length() - SloppyArgumentsElements::kParameterMapStart;
+  CHECK_LE(nofMappedParameters, context_object->length());
+  CHECK_LE(nofMappedParameters, arg_elements->length());
+  ElementsAccessor* accessor;
+  if (is_fast) {
+    accessor = ElementsAccessor::ForKind(FAST_HOLEY_ELEMENTS);
+  } else {
+    accessor = ElementsAccessor::ForKind(DICTIONARY_ELEMENTS);
+  }
+  for (int i = 0; i < nofMappedParameters; i++) {
+    // Verify that each context-mapped argument is either the hole or a valid
+    // Smi within context length range.
+    Object* mapped = get_mapped_entry(i);
+    if (mapped->IsTheHole(isolate)) {
+      // Slow sloppy arguments can be holey.
+      if (!is_fast) continue;
+      // Fast sloppy arguments elements are never holey. Either the element is
+      // context-mapped or present in the arguments elements.
+      CHECK(accessor->HasElement(holder, i, arg_elements));
+      continue;
+    }
+    Object* value = context_object->get(Smi::cast(mapped)->value());
+    CHECK(value->IsObject());
+    // None of the context-mapped entries should exist in the arguments
+    // elements.
+    CHECK(!accessor->HasElement(holder, i, arg_elements));
+  }
+}
 
 void JSGeneratorObject::JSGeneratorObjectVerify() {
   // In an expression like "new g()", there can be a point where a generator
@@ -637,7 +706,6 @@ void SharedFunctionInfo::SharedFunctionInfoVerify() {
   VerifyObjectField(kFunctionIdentifierOffset);
   VerifyObjectField(kInstanceClassNameOffset);
   VerifyObjectField(kNameOffset);
-  VerifyObjectField(kOptimizedCodeMapOffset);
   VerifyObjectField(kOuterScopeInfoOffset);
   VerifyObjectField(kScopeInfoOffset);
   VerifyObjectField(kScriptOffset);
@@ -1170,12 +1238,6 @@ void ContextExtension::ContextExtensionVerify() {
   VerifyObjectField(kExtensionOffset);
 }
 
-void ConstantElementsPair::ConstantElementsPairVerify() {
-  CHECK(IsConstantElementsPair());
-  VerifySmiField(kElementsKindOffset);
-  VerifyObjectField(kConstantValuesOffset);
-}
-
 void AccessorInfo::AccessorInfoVerify() {
   CHECK(IsAccessorInfo());
   VerifyPointer(name());
@@ -1215,13 +1277,6 @@ void InterceptorInfo::InterceptorInfoVerify() {
 }
 
 
-void CallHandlerInfo::CallHandlerInfoVerify() {
-  CHECK(IsCallHandlerInfo());
-  VerifyPointer(callback());
-  VerifyPointer(data());
-}
-
-
 void TemplateInfo::TemplateInfoVerify() {
   VerifyPointer(tag());
   VerifyPointer(property_list());
@@ -1298,11 +1353,6 @@ void DebugInfo::DebugInfoVerify() {
 }
 
 
-void BreakPointInfo::BreakPointInfoVerify() {
-  CHECK(IsBreakPointInfo());
-  VerifyPointer(break_point_objects());
-}
-
 void StackFrameInfo::StackFrameInfoVerify() {
   CHECK(IsStackFrameInfo());
   VerifyPointer(script_name());
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-07-17 13:57:45 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-07-19 13:44:40 +0000
commit	6ec7b8da05d21a3878bd21c691b41e675d74bb1c (patch)
tree	b87f250bc19413750b9bb9cdbf2da20ef5014820 /chromium/v8/src/objects-debug.cc
parent	ec02ee4181c49b61fce1c8fb99292dbb8139cc90 (diff)
download	qtwebengine-chromium-6ec7b8da05d21a3878bd21c691b41e675d74bb1c.tar.gz