[in-place weak refs] Fix weak slots in new space.

New space objects which die after scavenging might contain weak references. IncrementalMarking::UpdateWeakReferencesAfterScavenge must drop the corresponding slot. This bug didn't surface before, since all weak slots are in the old space (but this will change soon). BUG=v8:7308 Change-Id: Ib1e507d4207e35547240dc0867ec7787b3f3103e Reviewed-on: https://chromium-review.googlesource.com/1005000Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#52519}

[in-place weak refs] Fix weak slots in new space.
New space objects which die after scavenging might contain weak references. IncrementalMarking::UpdateWeakReferencesAfterScavenge must drop the corresponding slot. This bug didn't surface before, since all weak slots are in the old space (but this will change soon). BUG=v8:7308 Change-Id: Ib1e507d4207e35547240dc0867ec7787b3f3103e Reviewed-on: https://chromium-review.googlesource.com/1005000Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#52519}
3d222e13 · Marja Hölttä · Commit Bot · 963062fb · 3d222e13 · 3d222e13
Commit 3d222e13 authored Apr 10, 2018 by Marja Hölttä Committed by Commit Bot Apr 10, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 2 deletions

incremental-marking.cc src/heap/incremental-marking.cc +6 -2

test-weak-references.cc test/cctest/heap/test-weak-references.cc +38 -0

No files found.
--- a/src/heap/incremental-marking.cc
+++ b/src/heap/incremental-marking.cc
@@ -666,9 +666,13 @@ void IncrementalMarking::UpdateWeakReferencesAfterScavenge() {
              distance_to_slot;
          slot_out->first = map_word.ToForwardingAddress();
          slot_out->second = reinterpret_cast<HeapObjectReference**>(new_slot);
-        } else {
-          *slot_out = slot_in;
+          return true;
+        }
+        if (heap_obj->GetHeap()->InNewSpace(heap_obj)) {
+          // The new space object containing the weak reference died.
+          return false;
        }
+        *slot_out = slot_in;
        return true;
      });
  weak_objects_->weak_objects_in_code.Update(

--- a/test/cctest/heap/test-weak-references.cc
+++ b/test/cctest/heap/test-weak-references.cc
@@ -216,6 +216,44 @@ TEST(ObjectMovesBeforeClearingWeakField) {
  CHECK(fv->optimized_code_weak_or_smi()->IsClearedWeakHeapObject());
 }

+TEST(ObjectWithWeakFieldDies) {
+  if (!FLAG_incremental_marking) {
+    return;
+  }
+  ManualGCScope manual_gc_scope;
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Factory* factory = isolate->factory();
+  Heap* heap = isolate->heap();
+
+  {
+    HandleScope outer_scope(isolate);
+    Handle<FeedbackVector> fv =
+        CreateFeedbackVectorForTest(CcTest::isolate(), factory);
+    CHECK(heap->InNewSpace(*fv));
+    {
+      HandleScope inner_scope(isolate);
+      // Create a new FixedArray which the FeedbackVector will point to.
+      Handle<FixedArray> fixed_array = factory->NewFixedArray(1);
+      CHECK(heap->InNewSpace(*fixed_array));
+      fv->set_optimized_code_weak_or_smi(
+          HeapObjectReference::Weak(*fixed_array));
+      // inner_scope will go out of scope, so when marking the next time,
+      // *fixed_array will stay white.
+    }
+
+    // Do marking steps; this will store *fv into the list for later processing
+    // (since it points to a white object).
+    SimulateIncrementalMarking(heap, true);
+  }  // outer_scope goes out of scope
+
+  // fv will die
+  CcTest::CollectGarbage(NEW_SPACE);
+
+  // This used to crash when processing the dead weak reference.
+  CcTest::CollectAllGarbage();
+}
+
 TEST(ObjectWithWeakReferencePromoted) {
  CcTest::InitializeVM();
  Isolate* isolate = CcTest::i_isolate();