[heap] Use the correct write barrier for descriptor arrays.

This fixes two places that used the marking write barrier for elements
instead of the new marking write barrier for descriptor array.

This also ensures that revisited objects are marked black.

Bug: v8:8651,chromium:917794
Change-Id: Ifc17ff89686f32ccf61d4b3f764b0ab536c42912
Reviewed-on: https://chromium-review.googlesource.com/c/1406670Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58742}

src/heap/heap.cc

@@ -5643,10 +5643,13 @@ void Heap::MarkingBarrierSlow(HeapObject object, Address slot,
 }
 
 void Heap::MarkingBarrierForElementsSlow(Heap* heap, HeapObject object) {
-  if (FLAG_concurrent_marking ||
-      heap->incremental_marking()->marking_state()->IsBlack(object)) {
-    heap->incremental_marking()->RevisitObject(object);
+  IncrementalMarking::MarkingState* marking_state =
+      heap->incremental_marking()->marking_state();
+  if (!marking_state->IsBlack(object)) {
+    marking_state->WhiteToGrey(object);
+    marking_state->GreyToBlack(object);
   }
+  heap->incremental_marking()->RevisitObject(object);
 }
 
 void Heap::MarkingBarrierForCodeSlow(Code host, RelocInfo* rinfo,

src/heap/incremental-marking.cc

@@ -733,7 +733,7 @@ void IncrementalMarking::ProcessBlackAllocatedObject(HeapObject obj) {
 
 void IncrementalMarking::RevisitObject(HeapObject obj) {
   DCHECK(IsMarking());
-  DCHECK(FLAG_concurrent_marking || marking_state()->IsBlack(obj));
+  DCHECK(marking_state()->IsBlack(obj));
   Page* page = Page::FromAddress(obj->address());
   if (page->owner()->identity() == LO_SPACE) {
     page->ResetProgressBar();

src/heap/mark-compact-inl.h

@@ -409,6 +409,9 @@ template <FixedArrayVisitationMode fixed_array_mode,
 void MarkingVisitor<fixed_array_mode, retaining_path_mode, MarkingState>::
     VisitDescriptors(DescriptorArray descriptors,
                      int number_of_own_descriptors) {
+  // Updating the number of marked descriptor is supported only for black
+  // descriptor arrays.
+  DCHECK(marking_state()->IsBlack(descriptors));
   int16_t new_marked = static_cast<int16_t>(number_of_own_descriptors);
   int16_t old_marked = descriptors->UpdateNumberOfMarkedDescriptors(
       mark_compact_epoch_, new_marked);

src/objects.cc

@@ -4783,8 +4783,9 @@ void Map::ReplaceDescriptors(Isolate* isolate, DescriptorArray new_descriptors,
   // Replace descriptors by new_descriptors in all maps that share it. The old
   // descriptors will not be trimmed in the mark-compactor, we need to mark
   // all its elements.
-  MarkingBarrierForElements(isolate->heap(), to_replace);
   Map current = *this;
+  MarkingBarrierForDescriptorArray(isolate->heap(), current, to_replace,
+                                   to_replace->number_of_descriptors());
   while (current->instance_descriptors() == to_replace) {
     Object next = current->GetBackPointer();
     if (next->IsUndefined(isolate)) break;  // Stop overwriting at initial map.
@@ -5622,7 +5623,8 @@ void Map::EnsureDescriptorSlack(Isolate* isolate, Handle<Map> map, int slack) {
   // Replace descriptors by new_descriptors in all maps that share it. The old
   // descriptors will not be trimmed in the mark-compactor, we need to mark
   // all its elements.
-  MarkingBarrierForElements(isolate->heap(), *descriptors);
+  MarkingBarrierForDescriptorArray(isolate->heap(), *map, *descriptors,
+                                   descriptors->number_of_descriptors());
 
   Map current = *map;
   while (current->instance_descriptors() == *descriptors) {