[heap] Fix assertion of cleared old-to-old slots.

Even if the old-to-old remembered set contains a slot it should be
considered cleared if it was added into the invalidated slot set.

Change-Id: I30db5a77b14e729ab45b6de82af8795d85263518
Reviewed-on: https://chromium-review.googlesource.com/1224095
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55856}

src/heap/heap.cc

@@ -5271,17 +5271,19 @@ void Heap::ClearRecordedSlot(HeapObject* object, Object** slot) {
   }
 }
 
-bool Heap::HasRecordedSlot(HeapObject* object, Object** slot) {
-  if (InNewSpace(object)) {
-    return false;
-  }
+#ifdef DEBUG
+void Heap::VerifyClearedSlot(HeapObject* object, Object** slot) {
+  if (InNewSpace(object)) return;
   Address slot_addr = reinterpret_cast<Address>(slot);
   Page* page = Page::FromAddress(slot_addr);
   DCHECK_EQ(page->owner()->identity(), OLD_SPACE);
   store_buffer()->MoveAllEntriesToRememberedSet();
-  return RememberedSet<OLD_TO_NEW>::Contains(page, slot_addr) ||
-         RememberedSet<OLD_TO_OLD>::Contains(page, slot_addr);
+  CHECK(!RememberedSet<OLD_TO_NEW>::Contains(page, slot_addr));
+  // Old to old slots are filtered with invalidated slots.
+  CHECK_IMPLIES(RememberedSet<OLD_TO_OLD>::Contains(page, slot_addr),
+                page->RegisteredObjectWithInvalidatedSlots(object));
 }
+#endif
 
 void Heap::ClearRecordedSlotRange(Address start, Address end) {
   Page* page = Page::FromAddress(start);

src/heap/heap.h

@@ -1006,7 +1006,9 @@ class Heap {
   void ClearRecordedSlot(HeapObject* object, Object** slot);
   void ClearRecordedSlotRange(Address start, Address end);
 
-  bool HasRecordedSlot(HeapObject* object, Object** slot);
+#ifdef DEBUG
+  void VerifyClearedSlot(HeapObject* object, Object** slot);
+#endif
 
   // ===========================================================================
   // Incremental marking API. ==================================================

src/heap/spaces.cc

@@ -1452,6 +1452,17 @@ void MemoryChunk::RegisterObjectWithInvalidatedSlots(HeapObject* object,
   }
 }
 
+bool MemoryChunk::RegisteredObjectWithInvalidatedSlots(HeapObject* object) {
+  if (ShouldSkipEvacuationSlotRecording()) {
+    // Invalidated slots do not matter if we are not recording slots.
+    return true;
+  }
+  if (invalidated_slots() == nullptr) {
+    return false;
+  }
+  return invalidated_slots()->find(object) != invalidated_slots()->end();
+}
+
 void MemoryChunk::MoveObjectWithInvalidatedSlots(HeapObject* old_start,
                                                  HeapObject* new_start) {
   DCHECK_LT(old_start, new_start);

src/heap/spaces.h

@@ -516,6 +516,7 @@ class MemoryChunk {
   // Updates invalidated_slots after array left-trimming.
   void MoveObjectWithInvalidatedSlots(HeapObject* old_start,
                                       HeapObject* new_start);
+  bool RegisteredObjectWithInvalidatedSlots(HeapObject* object);
   InvalidatedSlots* invalidated_slots() { return invalidated_slots_; }
 
   void ReleaseLocalTracker();

src/objects.cc

@@ -4351,8 +4351,10 @@ void MigrateFastToFast(Handle<JSObject> object, Handle<Map> new_map) {
         heap->ClearRecordedSlot(*object,
                                 HeapObject::RawField(*object, index.offset()));
       } else {
-        DCHECK(!heap->HasRecordedSlot(
-            *object, HeapObject::RawField(*object, index.offset())));
+#ifdef DEBUG
+        heap->VerifyClearedSlot(*object,
+                                HeapObject::RawField(*object, index.offset()));
+#endif
       }
     } else {
       object->RawFastPropertyAtPut(index, value);