• Ulan Degenbaev's avatar
    Reland "Fix invalidation of old-to-old slots after object trimming." · 51e6ecb9
    Ulan Degenbaev authored
    This reverts commit 5b434929.
    
    Changes after the original CL:
    - Right-trimming registers the array as an object with invalidated
      slots.
    - Left-trimming moves the array start in the invalidated slots map.
    
    Original change's description:
    > Fix invalidation of old-to-old slots after object trimming.
    >
    > A recorded old-to-old slot may be overwritten with a pointer to a new
    > space object. If the object containing the slot is trimmed later on,
    > then the mark-compactor may crash on a stale pointer to new space.
    >
    > This patch ensures that:
    > 1) On trimming of an object we add it to the invalidated_slots sets.
    > 2) The InvalidatedSlotsFilter::IsValid returns false for slots outside
    >    the invalidated object unless the page was already swept.
    >
    > Array left-trimming is handled as a special case because object start
    > moves and cannot be added to the invalidated set. Instead, we clear
    > the freed memory so that the recorded slots contain Smi values.
    >
    > Bug: chromium:870226,chromium:816426
    > Change-Id: Iffc05a58fcf52ece45fdb085b5d1fd4b3acb5d53
    > Reviewed-on: https://chromium-review.googlesource.com/1163784
    > Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
    > Reviewed-by: Hannes Payer <hpayer@chromium.org>
    > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#54953}
    
    Change-Id: I1f1080f680196c581f62aef8d3a00a595f9bb9b0
    Reviewed-on: https://chromium-review.googlesource.com/1165555
    Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
    Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
    Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#55066}
    51e6ecb9
invalidated-slots.h 1.62 KB