Filter out remembered slots that are at the start of an object.

These slots are invalid and can result in a broken offset when slot index and start of object are equal and are at the beginning of a cell. Moreover, make DCHECKs CHECKs to catch bugs in the wild. BUG=chromium:473174 LOG=n Review URL: https://codereview.chromium.org/1051243004 Cr-Commit-Position: refs/heads/master@{#27602}

Filter out remembered slots that are at the start of an object.
These slots are invalid and can result in a broken offset when slot index and start of object are equal and are at the beginning of a cell. Moreover, make DCHECKs CHECKs to catch bugs in the wild. BUG=chromium:473174 LOG=n Review URL: https://codereview.chromium.org/1051243004 Cr-Commit-Position: refs/heads/master@{#27602}
189b355a · hpayer · Commit bot · 4b5af7b3 · 189b355a
Commit 189b355a authored Apr 06, 2015 by hpayer Committed by Commit bot Apr 06, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 4 deletions

mark-compact.cc src/heap/mark-compact.cc +14 -4

No files found.
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -3122,7 +3122,14 @@ bool MarkCompactCollector::IsSlotInBlackObject(Page* p, Address slot,
  unsigned int cell_base_start_index = Bitmap::IndexToCell(
      Bitmap::CellAlignIndex(p->AddressToMarkbitIndex(cell_base)));

-  // First check if the object is in the current cell.
+  // Check if the slot points to the start of an object. This can happen e.g.
+  // when we left trim a fixed array. Such slots are invalid and we can remove
+  // them.
+  if ((cells[start_index] & index_in_cell) != 0) {
+    return false;
+  }
+
+  // Check if the object is in the current cell.
  MarkBit::CellType slot_mask;
  if ((cells[start_index] == 0) ||
      (base::bits::CountTrailingZeros32(cells[start_index]) >
@@ -3144,23 +3151,26 @@ bool MarkCompactCollector::IsSlotInBlackObject(Page* p, Address slot,
    // The object is in a preceding cell. Set the mask to find any object.
    slot_mask = 0xffffffff;
  } else {
+    // The object start is before the the slot index. Hence, in this case the
+    // slot index can not be at the beginning of the cell.
+    CHECK(index_in_cell > 1);
    // We are interested in object mark bits right before the slot.
    slot_mask = index_in_cell - 1;
  }

  MarkBit::CellType current_cell = cells[start_index];
-  DCHECK(current_cell != 0);
+  CHECK(current_cell != 0);

  // Find the last live object in the cell.
  unsigned int leading_zeros =
      base::bits::CountLeadingZeros32(current_cell & slot_mask);
-  DCHECK(leading_zeros != 32);
+  CHECK(leading_zeros != 32);
  unsigned int offset = Bitmap::kBitIndexMask - leading_zeros;

  cell_base += (start_index - cell_base_start_index) * 32 * kPointerSize;
  Address address = cell_base + offset * kPointerSize;
  HeapObject* object = HeapObject::FromAddress(address);
-  DCHECK(object->address() < reinterpret_cast<Address>(slot));
+  CHECK(object->address() < reinterpret_cast<Address>(slot));
  if (object->address() <= slot &&
      (object->address() + object->Size()) > slot) {
    // If the slot is within the last found object in the cell, the slot is