[heap] Fix slots recording for promoted large objects

The page flags of a large object promoted during scavenge are not updated until the finalization of the scavenge. Thus during slots recording they still indicate that the large object is in the from space. The MarkCompactCollector::RecordSlot bails out for object in young generation, which results in missing old-to-old slot. The fix is to insert the slot directly to the remembered set. Bug: chromium:852420 Change-Id: Ib3d62e6d939191411729dbc2eb16b89a171a1e80 Reviewed-on: https://chromium-review.googlesource.com/c/1475765Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#59646}

[heap] Fix slots recording for promoted large objects
The page flags of a large object promoted during scavenge are not updated until the finalization of the scavenge. Thus during slots recording they still indicate that the large object is in the from space. The MarkCompactCollector::RecordSlot bails out for object in young generation, which results in missing old-to-old slot. The fix is to insert the slot directly to the remembered set. Bug: chromium:852420 Change-Id: Ib3d62e6d939191411729dbc2eb16b89a171a1e80 Reviewed-on: https://chromium-review.googlesource.com/c/1475765Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#59646}
ec68d97d · Ulan Degenbaev · Commit Bot · ced2e4ee · ec68d97d
Commit ec68d97d authored Feb 18, 2019 by Ulan Degenbaev Committed by Commit Bot Feb 18, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 6 deletions

scavenger.cc src/heap/scavenger.cc +8 -6

No files found.
--- a/src/heap/scavenger.cc
+++ b/src/heap/scavenger.cc
@@ -75,9 +75,9 @@ class ScavengingTask final : public ItemParallelJob::Task {

 class IterateAndScavengePromotedObjectsVisitor final : public ObjectVisitor {
 public:
-  IterateAndScavengePromotedObjectsVisitor(Heap* heap, Scavenger* scavenger,
+  IterateAndScavengePromotedObjectsVisitor(Scavenger* scavenger,
                                           bool record_slots)
-      : heap_(heap), scavenger_(scavenger), record_slots_(record_slots) {}
+      : scavenger_(scavenger), record_slots_(record_slots) {}

  V8_INLINE void VisitPointers(HeapObject host, ObjectSlot start,
                               ObjectSlot end) final {
@@ -137,12 +137,14 @@ class IterateAndScavengePromotedObjectsVisitor final : public ObjectVisitor {
          HeapObject::cast(target)));
    } else if (record_slots_ && MarkCompactCollector::IsOnEvacuationCandidate(
                                    HeapObject::cast(target))) {
-      heap_->mark_compact_collector()->RecordSlot(host, ObjectSlot(slot),
-                                                  target);
+      // We cannot call MarkCompactCollector::RecordSlot because that checks
+      // that the host page is not in young generation, which does not hold
+      // for pending large pages.
+      RememberedSet<OLD_TO_OLD>::Insert(MemoryChunk::FromHeapObject(host),
+                                        slot.address());
    }
  }

-  Heap* const heap_;
  Scavenger* const scavenger_;
  const bool record_slots_;
 };
@@ -369,7 +371,7 @@ void Scavenger::IterateAndScavengePromotedObject(HeapObject target, Map map,
  const bool record_slots =
      is_compacting_ &&
      heap()->incremental_marking()->atomic_marking_state()->IsBlack(target);
-  IterateAndScavengePromotedObjectsVisitor visitor(heap(), this, record_slots);
+  IterateAndScavengePromotedObjectsVisitor visitor(this, record_slots);
  target->IterateBodyFast(map, size, &visitor);
 }