[heap] Also remove OLD_TO_SHARED slots in trimmed memory

Slots in free memory need to be removed. After a GC the JS application can create additional free memory by either left- or right-trimming
of heap objects. The sweeper might discover memory that was freed
because of such operations.

In case the sweeper discovers free memory, there can't be any
recorded slots in it. Otherwise subsequent allocations might store
untagged values in those slots and the next deref would most
likely crash.

Remove OLD_TO_SHARED slots in freed memory when left-trimming, right-
trimming and for DeleteObjectPropertyFast.

Also full GC was right-trimming objects which now needs to remove
slots in OLD_TO_SHARED.

Bug: v8:11708
Change-Id: I5761336e103704929fbd455d74bdbb499ae23f61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905144Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83314}

src/heap/heap.cc

@@ -3601,6 +3601,7 @@ void Heap::CreateFillerForArray(T object, int elements_to_trim,
   if (MayContainRecordedSlots(object)) {
     MemoryChunk* chunk = MemoryChunk::FromHeapObject(object);
     DCHECK(!chunk->RegisteredObjectWithInvalidatedSlots<OLD_TO_NEW>(object));
+    DCHECK(!chunk->RegisteredObjectWithInvalidatedSlots<OLD_TO_SHARED>(object));
     DCHECK(!chunk->RegisteredObjectWithInvalidatedSlots<OLD_TO_OLD>(object));
   }
 #endif
@@ -6145,6 +6146,7 @@ void Heap::ClearRecordedSlot(HeapObject object, ObjectSlot slot) {
       // No need to update old-to-old here since that remembered set is gone
       // after a full GC and not re-recorded until sweeping is finished.
       RememberedSet<OLD_TO_NEW>::Remove(page, slot.address());
+      RememberedSet<OLD_TO_SHARED>::Remove(page, slot.address());
     }
   }
 #endif
@@ -6175,6 +6177,7 @@ void Heap::VerifySlotRangeHasNoRecordedSlots(Address start, Address end) {
 #ifndef V8_DISABLE_WRITE_BARRIERS
   Page* page = Page::FromAddress(start);
   RememberedSet<OLD_TO_NEW>::CheckNoneInRange(page, start, end);
+  RememberedSet<OLD_TO_SHARED>::CheckNoneInRange(page, start, end);
 #endif
 }
 #endif
@@ -6189,6 +6192,8 @@ void Heap::ClearRecordedSlotRange(Address start, Address end) {
     if (!page->SweepingDone()) {
       RememberedSet<OLD_TO_NEW>::RemoveRange(page, start, end,
                                              SlotSet::KEEP_EMPTY_BUCKETS);
+      RememberedSet<OLD_TO_SHARED>::RemoveRange(page, start, end,
+                                                SlotSet::KEEP_EMPTY_BUCKETS);
     }
   }
 #endif

src/heap/mark-compact.cc

@@ -3201,6 +3201,9 @@ void MarkCompactCollector::FlushBytecodeFromSFI(
   RememberedSet<OLD_TO_NEW>::RemoveRange(
       chunk, compiled_data_start, compiled_data_start + compiled_data_size,
       SlotSet::FREE_EMPTY_BUCKETS);
+  RememberedSet<OLD_TO_SHARED>::RemoveRange(
+      chunk, compiled_data_start, compiled_data_start + compiled_data_size,
+      SlotSet::FREE_EMPTY_BUCKETS);
   RememberedSet<OLD_TO_OLD>::RemoveRange(
       chunk, compiled_data_start, compiled_data_start + compiled_data_size,
       SlotSet::FREE_EMPTY_BUCKETS);
@@ -3456,6 +3459,8 @@ void MarkCompactCollector::RightTrimDescriptorArray(DescriptorArray array,
   MemoryChunk* chunk = MemoryChunk::FromHeapObject(array);
   RememberedSet<OLD_TO_NEW>::RemoveRange(chunk, start, end,
                                          SlotSet::FREE_EMPTY_BUCKETS);
+  RememberedSet<OLD_TO_SHARED>::RemoveRange(chunk, start, end,
+                                            SlotSet::FREE_EMPTY_BUCKETS);
   RememberedSet<OLD_TO_OLD>::RemoveRange(chunk, start, end,
                                          SlotSet::FREE_EMPTY_BUCKETS);
   if (V8_COMPRESS_POINTERS_8GB_BOOL) {