[heap] Don't consider mementos on pages below age mark

Objects that reside below the age mark could be on pages that have been moved within new space. In this case mementos survived which can actually point to already-collected allocation sites. BUG=chromium:631050,chromium:581412 R=hpayer@chromium.org Review-Url: https://codereview.chromium.org/2179033005 Cr-Commit-Position: refs/heads/master@{#38094}

[heap] Don't consider mementos on pages below age mark
Objects that reside below the age mark could be on pages that have been moved within new space. In this case mementos survived which can actually point to already-collected allocation sites. BUG=chromium:631050,chromium:581412 R=hpayer@chromium.org Review-Url: https://codereview.chromium.org/2179033005 Cr-Commit-Position: refs/heads/master@{#38094}
e97b8686 · mlippautz · Commit bot · 1ca3d099 · e97b8686 · e97b8686
Commit e97b8686 authored Jul 27, 2016 by mlippautz Committed by Commit bot Jul 27, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 3 deletions

heap-inl.h src/heap/heap-inl.h +17 -3

regress-631050.js test/mjsunit/regress/regress-631050.js +15 -0

No files found.
--- a/src/heap/heap-inl.h
+++ b/src/heap/heap-inl.h
@@ -479,12 +479,10 @@ void Heap::CopyBlock(Address dst, Address src, int byte_size) {

 template <Heap::FindMementoMode mode>
 AllocationMemento* Heap::FindAllocationMemento(HeapObject* object) {
-  // Check if there is potentially a memento behind the object. If
-  // the last word of the memento is on another page we return
-  // immediately.
  Address object_address = object->address();
  Address memento_address = object_address + object->Size();
  Address last_memento_word_address = memento_address + kPointerSize;
+  // If the memento would be on another page, bail out immediately.
  if (!Page::OnSamePage(object_address, last_memento_word_address)) {
    return nullptr;
  }
@@ -497,6 +495,22 @@ AllocationMemento* Heap::FindAllocationMemento(HeapObject* object) {
  if (candidate_map != allocation_memento_map()) {
    return nullptr;
  }
+
+  // Bail out if the memento is below the age mark, which can happen when
+  // mementos survived because a page got moved within new space.
+  Page* object_page = Page::FromAddress(object_address);
+  if (object_page->IsFlagSet(Page::NEW_SPACE_BELOW_AGE_MARK)) {
+    Address age_mark =
+        reinterpret_cast<SemiSpace*>(object_page->owner())->age_mark();
+    if (!object_page->Contains(age_mark)) {
+      return nullptr;
+    }
+    // Do an exact check in the case where the age mark is on the same page.
+    if (object_address < age_mark) {
+      return nullptr;
+    }
+  }
+
  AllocationMemento* memento_candidate = AllocationMemento::cast(candidate);

  // Depending on what the memento is used for, we might need to perform

--- a/test/mjsunit/regress/regress-631050.js
+++ b/test/mjsunit/regress/regress-631050.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --gc-global --stress-runs=8
+
+function __f_3(x, expected) {
+  var __v_3 = [];
+  __v_3.length = x;
+  __f_3(true, 1);
+}
+
+try {
+  __f_3(2147483648, 2147483648);
+} catch (e) {}