Commit 50d74d60 authored by Sigurd Schneider's avatar Sigurd Schneider Committed by Commit Bot

[heap] Do not {RecordEphemeronKeyWrite} if key is in old-space

This happened because {EphemeronKeyWriteBarrierFromCode} will also be
called if both table and key are in old-space, and key is an evacuation
candidate.

Bug: chromium:948307, v8:8557
Change-Id: Ic1284209584b74cb343163e4beec632a3f1544b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547858
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60568}
parent 045fdaf4
...@@ -5856,12 +5856,15 @@ void Heap::EphemeronKeyWriteBarrierFromCode(Address raw_object, ...@@ -5856,12 +5856,15 @@ void Heap::EphemeronKeyWriteBarrierFromCode(Address raw_object,
Address key_slot_address, Address key_slot_address,
Isolate* isolate) { Isolate* isolate) {
EphemeronHashTable table = EphemeronHashTable::cast(Object(raw_object)); EphemeronHashTable table = EphemeronHashTable::cast(Object(raw_object));
if (!ObjectInYoungGeneration(table)) { MaybeObjectSlot key_slot(key_slot_address);
MaybeObject maybe_key = *key_slot;
HeapObject key;
if (!maybe_key.GetHeapObject(&key)) return;
if (!ObjectInYoungGeneration(table) && ObjectInYoungGeneration(key)) {
isolate->heap()->RecordEphemeronKeyWrite(table, key_slot_address); isolate->heap()->RecordEphemeronKeyWrite(table, key_slot_address);
} }
MaybeObjectSlot key_slot(key_slot_address);
isolate->heap()->incremental_marking()->RecordMaybeWeakWrite(table, key_slot, isolate->heap()->incremental_marking()->RecordMaybeWeakWrite(table, key_slot,
*key_slot); maybe_key);
} }
void Heap::GenerationalBarrierForElementsSlow(Heap* heap, FixedArray array, void Heap::GenerationalBarrierForElementsSlow(Heap* heap, FixedArray array,
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
const set = new WeakSet()
const obj = {};
// Two GCs to promote {set} and {obj} to old-space.
gc();
gc();
// Allocate a large array so {obj} will become an evacuation candidate.
const foo = new Int8Array(0x0F000000);
// Trigger ephemeron key write barrier.
set.add(obj);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment