[heap, deoptimizer] Do not invalidate slots in materialized objects

We initialize the JSObject in the payload of a ByteArray, so we know
that no slots were recorded there. This also means we don't need to
remove any recorded slots and thus invalidation isn't required.

With this change only strings use object slot invalidation on
String::MakeExternal.

Bug: v8:12578
Change-Id: I009635c2a61ae8ff2b9e2480cb7d374451a8cc7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644614Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80528}

src/deoptimizer/translated-state.cc

@@ -13,6 +13,7 @@
 #include "src/diagnostics/disasm.h"
 #include "src/execution/frames.h"
 #include "src/execution/isolate.h"
+#include "src/heap/heap.h"
 #include "src/numbers/conversions.h"
 #include "src/objects/arguments.h"
 #include "src/objects/heap-number-inl.h"
@@ -1849,8 +1850,18 @@ void TranslatedState::InitializeJSObjectAt(
   // The object should have at least a map and some payload.
   CHECK_GE(children_count, 2);
 
+#if DEBUG
+  // No need to invalidate slots in object because no slot was recorded yet.
+  // Verify this here.
+  Address object_start = object_storage->address();
+  Address object_end = object_start + children_count * kTaggedSize;
+  isolate()->heap()->VerifySlotRangeHasNoRecordedSlots(object_start,
+                                                       object_end);
+#endif  // DEBUG
+
   // Notify the concurrent marker about the layout change.
-  isolate()->heap()->NotifyObjectLayoutChange(*object_storage, no_gc);
+  isolate()->heap()->NotifyObjectLayoutChange(*object_storage, no_gc,
+                                              InvalidateRecordedSlots::kNo);
 
   // Fill the property array field.
   {
@@ -1901,8 +1912,18 @@ void TranslatedState::InitializeObjectWithTaggedFieldsAt(
     return;
   }
 
+#if DEBUG
+  // No need to invalidate slots in object because no slot was recorded yet.
+  // Verify this here.
+  Address object_start = object_storage->address();
+  Address object_end = object_start + children_count * kTaggedSize;
+  isolate()->heap()->VerifySlotRangeHasNoRecordedSlots(object_start,
+                                                       object_end);
+#endif  // DEBUG
+
   // Notify the concurrent marker about the layout change.
-  isolate()->heap()->NotifyObjectLayoutChange(*object_storage, no_gc);
+  isolate()->heap()->NotifyObjectLayoutChange(*object_storage, no_gc,
+                                              InvalidateRecordedSlots::kNo);
 
   // Write the fields to the object.
   for (int i = 1; i < children_count; i++) {

src/heap/heap.cc

@@ -6430,7 +6430,6 @@ void Heap::VerifyClearedSlot(HeapObject object, ObjectSlot slot) {
 void Heap::VerifySlotRangeHasNoRecordedSlots(Address start, Address end) {
 #ifndef V8_DISABLE_WRITE_BARRIERS
   Page* page = Page::FromAddress(start);
-  DCHECK(!page->InYoungGeneration());
   RememberedSet<OLD_TO_NEW>::CheckNoneInRange(page, start, end);
 #endif
 }

src/heap/memory-chunk.cc

@@ -378,7 +378,8 @@ template V8_EXPORT_PRIVATE void MemoryChunk::RegisterObjectWithInvalidatedSlots<
 
 template <RememberedSetType type>
 void MemoryChunk::RegisterObjectWithInvalidatedSlots(HeapObject object) {
-  DCHECK(!object.IsJSReceiver());
+  // ByteArray and FixedArray are still invalidated in tests.
+  DCHECK(object.IsString() || object.IsByteArray() || object.IsFixedArray());
   bool skip_slot_recording;
 
   switch (type) {