Commit 23c15e49 authored by vegorov@chromium.org's avatar vegorov@chromium.org

When scavenging update source slot before migrating object it points to.

Source slot might belong to a dead old object and we might allocate a new object over it when evacuating a new space object this slot points to. In this case if we update slot after migrating object we will write into migrated object.

R=erik.corry@gmail.com

Review URL: http://codereview.chromium.org/8698022

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10082 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent e3eb71e9
...@@ -1486,10 +1486,10 @@ class ScavengingVisitor : public StaticVisitorBase { ...@@ -1486,10 +1486,10 @@ class ScavengingVisitor : public StaticVisitorBase {
// Helper function used by CopyObject to copy a source object to an // Helper function used by CopyObject to copy a source object to an
// allocated target object and update the forwarding pointer in the source // allocated target object and update the forwarding pointer in the source
// object. Returns the target object. // object. Returns the target object.
INLINE(static HeapObject* MigrateObject(Heap* heap, INLINE(static void MigrateObject(Heap* heap,
HeapObject* source, HeapObject* source,
HeapObject* target, HeapObject* target,
int size)) { int size)) {
// Copy the content of source to target. // Copy the content of source to target.
heap->CopyBlock(target->address(), source->address(), size); heap->CopyBlock(target->address(), source->address(), size);
...@@ -1515,8 +1515,6 @@ class ScavengingVisitor : public StaticVisitorBase { ...@@ -1515,8 +1515,6 @@ class ScavengingVisitor : public StaticVisitorBase {
MemoryChunk::IncrementLiveBytes(target->address(), size); MemoryChunk::IncrementLiveBytes(target->address(), size);
} }
} }
return target;
} }
template<ObjectContents object_contents, SizeRestriction size_restriction> template<ObjectContents object_contents, SizeRestriction size_restriction>
...@@ -1547,7 +1545,12 @@ class ScavengingVisitor : public StaticVisitorBase { ...@@ -1547,7 +1545,12 @@ class ScavengingVisitor : public StaticVisitorBase {
Object* result = NULL; // Initialization to please compiler. Object* result = NULL; // Initialization to please compiler.
if (maybe_result->ToObject(&result)) { if (maybe_result->ToObject(&result)) {
HeapObject* target = HeapObject::cast(result); HeapObject* target = HeapObject::cast(result);
*slot = MigrateObject(heap, object , target, object_size);
// Order is important: slot might be inside of the target if target
// was allocated over a dead object and slot comes from the store
// buffer.
*slot = target;
MigrateObject(heap, object, target, object_size);
if (object_contents == POINTER_OBJECT) { if (object_contents == POINTER_OBJECT) {
heap->promotion_queue()->insert(target, object_size); heap->promotion_queue()->insert(target, object_size);
...@@ -1560,8 +1563,13 @@ class ScavengingVisitor : public StaticVisitorBase { ...@@ -1560,8 +1563,13 @@ class ScavengingVisitor : public StaticVisitorBase {
MaybeObject* allocation = heap->new_space()->AllocateRaw(object_size); MaybeObject* allocation = heap->new_space()->AllocateRaw(object_size);
heap->promotion_queue()->SetNewLimit(heap->new_space()->top()); heap->promotion_queue()->SetNewLimit(heap->new_space()->top());
Object* result = allocation->ToObjectUnchecked(); Object* result = allocation->ToObjectUnchecked();
HeapObject* target = HeapObject::cast(result);
*slot = MigrateObject(heap, object, HeapObject::cast(result), object_size); // Order is important: slot might be inside of the target if target
// was allocated over a dead object and slot comes from the store
// buffer.
*slot = target;
MigrateObject(heap, object, target, object_size);
return; return;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment