Commit ded6ffbb authored by hpayer's avatar hpayer Committed by Commit bot

Recorded slots in store buffer are never in free space. Remove migration consistency check.

After establishing the invariant that the store buffer always has valid slots after marking, the store buffer integrity check is not needed anymore.

BUG=454157
LOG=n

Review URL: https://codereview.chromium.org/990173002

Cr-Commit-Position: refs/heads/master@{#27073}
parent 67bc45c2
......@@ -2118,12 +2118,10 @@ class ScavengingVisitor : public StaticVisitorBase {
if (alignment != kObjectAlignment) {
target = EnsureDoubleAligned(heap, target, allocation_size);
}
MigrateObject(heap, object, target, object_size);
// Order is important: slot might be inside of the target if target
// was allocated over a dead object and slot comes from the store
// buffer.
// Update slot to new target.
*slot = target;
MigrateObject(heap, object, target, object_size);
heap->IncrementSemiSpaceCopiedObjectSize(object_size);
return true;
......@@ -2157,22 +2155,10 @@ class ScavengingVisitor : public StaticVisitorBase {
if (alignment != kObjectAlignment) {
target = EnsureDoubleAligned(heap, target, allocation_size);
}
MigrateObject(heap, object, target, object_size);
// Order is important: slot might be inside of the target if target
// was allocated over a dead object and slot comes from the store
// buffer.
// Unfortunately, the allocation can also write over the slot if the slot
// was in free space and the allocation wrote free list data (such as the
// free list map or entry size) over the slot. We guard against this by
// checking that the slot still points to the object being moved. This
// should be sufficient because neither the free list map nor the free
// list entry size should look like a new space pointer (the former is an
// old space pointer, the latter is word-aligned).
if (*slot == object) {
// Update slot to new target.
*slot = target;
}
MigrateObject(heap, object, target, object_size);
if (object_contents == POINTER_OBJECT) {
if (map->instance_type() == JS_FUNCTION_TYPE) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment