[heap] Fix live object iterator to skip grey filler objects.

BUG=v8:5829

patch from issue 2634493004 at patchset 20001 (http://crrev.com/2634493004#ps20001)

Review-Url: https://codereview.chromium.org/2634033003
Cr-Commit-Position: refs/heads/master@{#42383}

src/heap/mark-compact-inl.h

@@ -195,12 +195,13 @@ HeapObject* LiveObjectIterator<T>::Next() {
           object = black_object;
         }
       } else if ((T == kGreyObjects || T == kAllLiveObjects)) {
+        map = base::NoBarrierAtomicValue<Map*>::FromAddress(addr)->Value();
         object = HeapObject::FromAddress(addr);
       }
 
       // We found a live object.
       if (object != nullptr) {
-        if (map != nullptr && map == heap()->one_pointer_filler_map()) {
+        if (map == heap()->one_pointer_filler_map()) {
           // Black areas together with slack tracking may result in black one
           // word filler objects. We filter these objects out in the iterator.
           object = nullptr;

src/heap/mark-compact.cc

@@ -104,7 +104,9 @@ static void VerifyMarking(Heap* heap, Address bottom, Address top) {
   Address next_object_must_be_here_or_later = bottom;
   for (Address current = bottom; current < top;) {
     object = HeapObject::FromAddress(current);
-    if (MarkCompactCollector::IsMarked(object)) {
+    // One word fillers at the end of a black area can be grey.
+    if (MarkCompactCollector::IsMarked(object) &&
+        object->map() != heap->one_pointer_filler_map()) {
       CHECK(Marking::IsBlack(ObjectMarking::MarkBitFrom(object)));
       CHECK(current >= next_object_must_be_here_or_later);
       object->Iterate(&visitor);

test/cctest/heap/test-mark-compact.cc

@@ -41,6 +41,8 @@
 
 #include "src/full-codegen/full-codegen.h"
 #include "src/global-handles.h"
+#include "src/heap/mark-compact-inl.h"
+#include "src/heap/mark-compact.h"
 #include "test/cctest/cctest.h"
 #include "test/cctest/heap/heap-tester.h"
 #include "test/cctest/heap/heap-utils.h"
@@ -483,4 +485,36 @@ TEST(RegressJoinThreadsOnIsolateDeinit) {
   }
 }
 
+TEST(Regress5829) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  v8::HandleScope sc(CcTest::isolate());
+  Heap* heap = isolate->heap();
+  heap::SealCurrentObjects(heap);
+  i::MarkCompactCollector* collector = heap->mark_compact_collector();
+  i::IncrementalMarking* marking = heap->incremental_marking();
+  if (collector->sweeping_in_progress()) {
+    collector->EnsureSweepingCompleted();
+  }
+  CHECK(marking->IsMarking() || marking->IsStopped());
+  if (marking->IsStopped()) {
+    heap->StartIncrementalMarking(i::Heap::kNoGCFlags,
+                                  i::GarbageCollectionReason::kTesting);
+  }
+  CHECK(marking->IsMarking());
+  marking->StartBlackAllocationForTesting();
+  Handle<FixedArray> array = isolate->factory()->NewFixedArray(10, TENURED);
+  Address old_end = array->address() + array->Size();
+  // Right trim the array without clearing the mark bits.
+  array->set_length(9);
+  heap->CreateFillerObjectAt(old_end - kPointerSize, kPointerSize,
+                             ClearRecordedSlots::kNo);
+  heap->old_space()->EmptyAllocationInfo();
+  LiveObjectIterator<kGreyObjects> it(Page::FromAddress(array->address()));
+  HeapObject* object = nullptr;
+  while ((object = it.Next()) != nullptr) {
+    CHECK(!object->IsFiller());
+  }
+}
+
 #endif  // __linux__ and !USE_SIMULATOR