Reland of [heap] Simplify distribution of remaining memory during sweeping & compaction (patchset #1 id:1 of https://codereview.chromium.org/1661723003/ )

Reason for revert:
Bisection results show that this was not the culprit.

Original issue's description:
> Revert of [heap] Simplify distribution of remaining memory during sweeping & compaction (patchset #2 id:80001 of https://codereview.chromium.org/1653973003/ )
>
> Reason for revert:
> Very likely blocking roll: https://codereview.chromium.org/1652413003/
>
> Original issue's description:
> > [heap] Simplify distribution of remaining memory during sweeping & compaction
> >
> > BUG=chromium:524425
> > LOG=N
> >
> > Committed: https://crrev.com/f72923526ccaa8faef5c977267b0c074c4a44dfa
> > Cr-Commit-Position: refs/heads/master@{#33668}
>
> TBR=hpayer@chromium.org,mlippautz@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/a9441b0e7a2a56c2047482a3cc66e3ca2255444b
> Cr-Commit-Position: refs/heads/master@{#33695}

TBR=hpayer@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1663013002

Cr-Commit-Position: refs/heads/master@{#33696}

Revert of [heap] Simplify distribution of remaining memory during sweeping & compaction (patchset #2 id:80001 of https://codereview.chromium.org/1653973003/ )

Reason for revert:
Very likely blocking roll: https://codereview.chromium.org/1652413003/

Original issue's description:
> [heap] Simplify distribution of remaining memory during sweeping & compaction
>
> BUG=chromium:524425
> LOG=N
>
> Committed: https://crrev.com/f72923526ccaa8faef5c977267b0c074c4a44dfa
> Cr-Commit-Position: refs/heads/master@{#33668}

TBR=hpayer@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1661723003

Cr-Commit-Position: refs/heads/master@{#33695}

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1653973003

Cr-Commit-Position: refs/heads/master@{#33668}

This function is called for every live object in new space.  We statically know
which version to call, so let's use templates here and eliminite a branch at
runtime.

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1659823002

Cr-Commit-Position: refs/heads/master@{#33662}

This reverts commit 85ba94f2.

All parallelism can be turned off using --predictable, or --noparallel-compaction.

This patch completely parallelizes
 - semispace copy: from space -> to space (within newspace)
 - newspace evacuation: newspace -> oldspace
 - oldspace compaction: oldspace -> oldspace

Previously newspace has been handled sequentially (semispace copy, newspace
evacuation) before compacting oldspace in parallel. However, on a high level
there are no dependencies between those two actions, hence we parallelize them
altogether. We base the number of evacuation tasks on the overall set of
to-be-processed pages (newspace + oldspace compaction pages).

Some low-level details:
 - The hard cap on number of tasks has been lifted
 - We cache store buffer entries locally before merging them back into the global
   StoreBuffer in a finalization phase.
 - We cache AllocationSite operations locally before merging them back into the
   global pretenuring storage in a finalization phase.
 - AllocationSite might be compacted while they would be needed for newspace
   evacuation. To mitigate any problems we defer checking allocation sites for
   newspace till merging locally buffered data.

CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_asan_rel,v8_linux64_tsan_rel,v8_mac64_asan_rel
BUG=chromium:524425
LOG=N
R=hpayer@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/1640563004

Cr-Commit-Position: refs/heads/master@{#33552}

Revert of [heap] Parallel newspace evacuation, semispace copy, and compaction \o/ (patchset #16 id:620001 of https://codereview.chromium.org/1577853007/ )

Reason for revert:
[Sheriff] Leads to crashes on all webrtc chromium testers, e.g.:
https://build.chromium.org/p/chromium.webrtc/builders/Mac%20Tester/builds/49664

Original issue's description:
> [heap] Parallel newspace evacuation, semispace copy, and compaction \o/
>
> All parallelism can be turned off using --predictable, or --noparallel-compaction.
>
> This patch completely parallelizes
>  - semispace copy: from space -> to space (within newspace)
>  - newspace evacuation: newspace -> oldspace
>  - oldspace compaction: oldspace -> oldspace
>
> Previously newspace has been handled sequentially (semispace copy, newspace
> evacuation) before compacting oldspace in parallel. However, on a high level
> there are no dependencies between those two actions, hence we parallelize them
> altogether. We base the number of evacuation tasks on the overall set of
> to-be-processed pages (newspace + oldspace compaction pages).
>
> Some low-level details:
>  - The hard cap on number of tasks has been lifted
>  - We cache store buffer entries locally before merging them back into the global
>    StoreBuffer in a finalization phase.
>  - We cache AllocationSite operations locally before merging them back into the
>    global pretenuring storage in a finalization phase.
>  - AllocationSite might be compacted while they would be needed for newspace
>    evacuation. To mitigate any problems we defer checking allocation sites for
>    newspace till merging locally buffered data.
>
> CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_asan_rel,v8_linux64_tsan_rel,v8_mac64_asan_rel
> BUG=chromium:524425
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/8f0fd8c0370ae8c5aab56491b879d7e30c329062
> Cr-Commit-Position: refs/heads/master@{#33523}

TBR=hpayer@chromium.org,ulan@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1643473002

Cr-Commit-Position: refs/heads/master@{#33539}

All parallelism can be turned off using --predictable, or --noparallel-compaction.

This patch completely parallelizes
 - semispace copy: from space -> to space (within newspace)
 - newspace evacuation: newspace -> oldspace
 - oldspace compaction: oldspace -> oldspace

Previously newspace has been handled sequentially (semispace copy, newspace
evacuation) before compacting oldspace in parallel. However, on a high level
there are no dependencies between those two actions, hence we parallelize them
altogether. We base the number of evacuation tasks on the overall set of
to-be-processed pages (newspace + oldspace compaction pages).

Some low-level details:
 - The hard cap on number of tasks has been lifted
 - We cache store buffer entries locally before merging them back into the global
   StoreBuffer in a finalization phase.
 - We cache AllocationSite operations locally before merging them back into the
   global pretenuring storage in a finalization phase.
 - AllocationSite might be compacted while they would be needed for newspace
   evacuation. To mitigate any problems we defer checking allocation sites for
   newspace till merging locally buffered data.

CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_asan_rel,v8_linux64_tsan_rel,v8_mac64_asan_rel
BUG=chromium:524425
LOG=N
R=hpayer@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/1577853007

Cr-Commit-Position: refs/heads/master@{#33523}

- Completely rely on the concurrent sweeping state for SweepingCompleted()
- Rename the state accordingly.

CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_asan_rel,v8_linux64_tsan_rel,v8_mac64_asan_rel
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1614953002

Cr-Commit-Position: refs/heads/master@{#33490}

Also restrict how many pages are swept during slow path allocation.

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1596343004

Cr-Commit-Position: refs/heads/master@{#33435}

This reverts commit 7cf64f40.

Tanks octane. Will use a different approach here.

BUG=chromium:578871, chromium:524425
LOG=N
TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1605813004

Cr-Commit-Position: refs/heads/master@{#33382}

R=mlippautz@chromium.org

Review URL: https://codereview.chromium.org/1583323005

Cr-Commit-Position: refs/heads/master@{#33335}

Those counters will be incremented concurrently during parallel evacuation of
newspace. This change makes sure we do the updates atomically.

Note that actual reasoning about them happens sequentially on the main thread.

BUG=chromium:524425
LOG=N
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/1585843010

Cr-Commit-Position: refs/heads/master@{#33326}

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1588823003

Cr-Commit-Position: refs/heads/master@{#33302}

We use a scratchpad to remember visited allocation sites for post processing
(making tenure decisions). The previous implementation used a rooted FixedArray
with constant length (256) to remember all sites. Updating the scratchpad is a
bottleneck in any parallel/concurrent implementation of newspace evacuation.

The new implementation uses a HashMap with allocation sites as keys and
temporary counts as values. During evacuation we collect a local hashmap of
visited allocation sites. Upon merging the local hashmap back into a global one
we update potential forward pointers of compacted allocation sites.  The
scavenger can directly enter its entries into the global hashmap. Note that the
actual memento found count is still kept on the AllocationSite as it needs to
survive scavenges and full GCs.

BUG=chromium:524425
LOG=N
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1535723002

Cr-Commit-Position: refs/heads/master@{#33233}

This CL changes the color for encoding black and grey. Moreover, it introduces a higher level live object iterator.

BUG=chromium:561449
LOG=n

Review URL: https://codereview.chromium.org/1517993003

Cr-Commit-Position: refs/heads/master@{#33208}

A concurrent sweeper thread can access the same markbit cell as the main thread
during right trimming a fixed array, resulting in a data race on a markbit cell.
Previously we checked whether we were currently marking incrementally, filtering
out this case.

The current check has the benefit of keeping live_bytes accurate (modulo other
bugs) until the sweeper starts.

BUG=chromium:576193
LOG=N

Review URL: https://codereview.chromium.org/1576853002

Cr-Commit-Position: refs/heads/master@{#33203}

* Buffer counter updates in the corresponding visitor to allow parallel
  processing of pages.
* Fix a bug where we don't keep live bytes in sync when marking is already
  finished.

LOG=N
BUG=524425

Review URL: https://codereview.chromium.org/1559873004

Cr-Commit-Position: refs/heads/master@{#33170}

This CL prepare newspace evacuation for parallel execution wrt. to actual
allocations. The priority for allocations is:
* Try to allocate from LAB if objects are below kMaxLabObjectSize
* Allocate directly (synchronized) from newspace for larger objects.
* Fall back to old space allocation (which will be backed by a local compaction
  space in future).

Semantical change: Previously we did fall back to regular new space promotion if
we are OOM in old space. With this CL we fall back to new space promotion, which
could fail because of fragmentation, again leading to an old space allocation
that finally bails into OOM.

Newspace evacuation is still single threaded and requires further changes to
allocation site tracking.

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1487853002

Cr-Commit-Position: refs/heads/master@{#32970}

Reason for revert:
Revive left-trimming until new strategies are evaluated and decided on.

Partially reverted changes from:
https://codereview.chromium.org/1474203003/

BUG=v8:4606
LOG=N

Original issue's description:
> [heap] delete Heap::LeftTrimFixedAray
>
> No more uses left for this code (thank goodness.)
>
> R=hpayer@chromium.org
> BUG=
>
> Committed: https://crrev.com/dc3442b1ec803916eb6c1882ab4c3ec6fd44dd55
> Cr-Commit-Position: refs/heads/master@{#32305}

TBR=hpayer@chromium.org,ofrobots@google.com

Review URL: https://codereview.chromium.org/1535933002

Cr-Commit-Position: refs/heads/master@{#32965}

Tests for
* aborting a full page.
* partially aborting a page.
* partially aborting a page with pointers between aborted pages.
* partially aborting a page with store buffer entries.

Also introduces force_oom() which prohibits a old space to
expand

BUG=chromium:524425
LOG=N

CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel,v8_linux_nosnap_dbg,v8_win_nosnap_shared_rel,v8_win_nosnap_shared_compile_rel

Review URL: https://codereview.chromium.org/1518803005

Cr-Commit-Position: refs/heads/master@{#32899}

BUG=

Review URL: https://codereview.chromium.org/1514693010

Cr-Commit-Position: refs/heads/master@{#32808}

R=hpayer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1521573002

Cr-Commit-Position: refs/heads/master@{#32793}

BUG=chromium:568495
LOG=NO

Review URL: https://codereview.chromium.org/1515503006

Cr-Commit-Position: refs/heads/master@{#32791}

R=hpayer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1522433002

Cr-Commit-Position: refs/heads/master@{#32789}

Compaction of the array with maps happens lazily upon adding new maps.

BUG=

Review URL: https://codereview.chromium.org/1481953002

Cr-Commit-Position: refs/heads/master@{#32717}

R=hpayer@chromium.org
BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1504773002

Cr-Commit-Position: refs/heads/master@{#32712}

It's expensive to walk all shared function infos during the gc atomic
pause. Instead, use WeakCells to implement this structure without
manual clearing.

Reland due to a bug when reusing entries in the optimized code map.

BUG=

Review URL: https://codereview.chromium.org/1508703002

Cr-Commit-Position: refs/heads/master@{#32696}

Instead of iterating the whole map space to find dead transitions,
look in weak cell list and transition array list.

Simple transitions are in the weak cell list.

Full transitions are in the transitions array list.

BUG=chromium:554488
LOG=NO

Review URL: https://codereview.chromium.org/1488593003

Cr-Commit-Position: refs/heads/master@{#32684}

Create a visitor for evacuating objects for young and old generation. This is
the first step of preparing a task to process, both,  newspace and oldspace
pages in parallel.

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1499893002

Cr-Commit-Position: refs/heads/master@{#32617}

Fix the missed store buffer entries for live objects on aborted pages. Marking
the page as scan_on_scavenge takes care of rebuilding the entries. Note that
this requires an additional case in the rebuilding logic as we cannot iterate an
aborted pages using the object layout, but rather have to use mark bits for
this.

BUG=chromium:524425, chromium:564498
LOG=N

Review URL: https://codereview.chromium.org/1497883003

Cr-Commit-Position: refs/heads/master@{#32610}

Reason for revert:
Probably causes GC stress test failures.

TBR=mvstanton@chromium.org
BUG=
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1493393002

Cr-Commit-Position: refs/heads/master@{#32574}

It's expensive to walk all shared function infos during the gc atomic pause. Instead, use WeakCells to implement this structure without manual clearing.

BUG=

Review URL: https://codereview.chromium.org/1478943003

Cr-Commit-Position: refs/heads/master@{#32567}

Reland of Introduce instance type for transition arrays. (patchset #1 id:1 of https://codereview.chromium.org/1483003002/ )

Reason for revert:
Suspect for crashing found, relanding for canary coverage.

Original issue's description:
> Revert of Introduce instance type for transition arrays. (patchset #6 id:100001 of https://codereview.chromium.org/1480873003/ )
>
> Reason for revert:
> Broken canary. Trying to find out root cause.
>
> Original issue's description:
> > Introduce instance type for transition arrays.
> >
> > The motivation is to allow specialized marking visitor for transition arrays and collect all transition array in a list for post-processing in ClearNonLiveReferences.
> >
> > BUG=chromium:554488
> > LOG=NO
> >
> > Committed: https://crrev.com/026095a3c7932573e1810b8064ec3008ed696601
> > Cr-Commit-Position: refs/heads/master@{#32396}
>
> TBR=mlippautz@chromium.org,jkummerow@chromium.org,ulan@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:554488
>
> Committed: https://crrev.com/38bf70b9cd2a07b99ac0c0b7eda111849e79c146
> Cr-Commit-Position: refs/heads/master@{#32404}

TBR=mlippautz@chromium.org,jkummerow@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:554488

Review URL: https://codereview.chromium.org/1500623002

Cr-Commit-Position: refs/heads/master@{#32561}

Split out of PropertyAttributes, and used for all filtering purposes.
Also moved PropertyAttributes into the v8::internal:: namespace.

No change in behavior intended.

Review URL: https://codereview.chromium.org/1492653004

Cr-Commit-Position: refs/heads/master@{#32525}

Revert of [heap] Refactor evacuation for young and old gen into visitors. (patchset #1 id:1 of https://codereview.chromium.org/1493523003/ )

Reason for revert:
Speculative revert for crashing Canary.

Original issue's description:
> Reland of [heap] Refactor evacuation for young and old gen into visitors. (patchset #1 id:1 of https://codereview.chromium.org/1483393002/ )
>
> Reason for revert:
> Reland after fixing the potential root cause of the canary crasher.
>
> Original issue's description:
> > Revert of [heap] Refactor evacuation for young and old gen into visitors. (patchset #5 id:80001 of https://codereview.chromium.org/1470253002/ )
> >
> > Reason for revert:
> > Still investigating bad canary.
> >
> > Original issue's description:
> > > [heap] Refactor evacuation for young and old gen into visitors.
> > >
> > > Create a visitor for evacuating objects for young and old generation. This is
> > > the first step of preparing a task to process, both,  newspace and oldspace
> > > pages in parallel.
> > >
> > > BUG=chromium:524425
> > > LOG=N
> > >
> > > Committed: https://crrev.com/138d9bae5d7014e0d205634a49b5eac3697744c8
> > > Cr-Commit-Position: refs/heads/master@{#32349}
> >
> > TBR=mlippautz@chromium.org
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=chromium:524425
> >
> > Committed: https://crrev.com/aa24a3135ec308e1f84bce334844caf0cae2437a
> > Cr-Commit-Position: refs/heads/master@{#32462}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/120b640dfce5f02cecc5af72ca0b2b3b93ce8652
> Cr-Commit-Position: refs/heads/master@{#32500}

TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1495583002

Cr-Commit-Position: refs/heads/master@{#32522}

Revert of [heap] Unify evacuating an object for new and old generation. (patchset #1 id:1 of https://codereview.chromium.org/1494533002/ )

Reason for revert:
Speculative revert for crashing Canary.

Original issue's description:
> Reland of [heap] Unify evacuating an object for new and old generation. (patchset #1 id:1 of https://codereview.chromium.org/1483963004/ )
>
> Reason for revert:
> Reland after fixing the potential root cause of the canary crasher.
>
> Original issue's description:
> > Revert of [heap] Unify evacuating an object for new and old generation. (patchset #2 id:20001 of https://codereview.chromium.org/1481873002/ )
> >
> > Reason for revert:
> > Still investigating bad canary.
> >
> > Original issue's description:
> > > [heap] Unify evacuating an object for new and old generation.
> > >
> > > BUG=chromium:524425
> > > LOG=N
> > >
> > > Committed: https://crrev.com/afb8bcce8ba889280ed747eb218d287ddd233b4a
> > > Cr-Commit-Position: refs/heads/master@{#32365}
> >
> > TBR=mlippautz@chromium.org
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=chromium:524425
> >
> > Committed: https://crrev.com/9c60ddc60e96da0c59e646660789c26550ad52a2
> > Cr-Commit-Position: refs/heads/master@{#32460}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/7ea8ac98f6eb5ffa9d4976aa22fec9befb814e0c
> Cr-Commit-Position: refs/heads/master@{#32501}

TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1491013003

Cr-Commit-Position: refs/heads/master@{#32521}

Revert of "[heap] Clean up stale store buffer entries for aborted pages." (patchset #3 id:40001 of https://codereview.chromium.org/1494503004/ )

Reason for revert:
Still failing on GC stress
  https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/690

Original issue's description:
> Reland of "[heap] Clean up stale store buffer entries for aborted pages."
>
> This reverts commit d4fc4a8c.
>
> 1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
>     store buffer.
> 3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4.  The current mark-sweep finishes. The slot X is in free space and is also in
>     the store buffer.
> 5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
>     looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
>     previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
>     object before.
> 6.  Scavenge happens.
> 7.  Slot X is still in free space and in store buffer. [It causes scavenge of
>     the object Y in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
>     it is not important].
> 8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
>     is written in X.
> 9.  The scavenge finishes.
> 9.  Another scavenge starts.
> 10. We crash in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
>     processing slot X, because it doesn't point to valid map.
>
> BUG=chromium:524425, chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/fc6ff534003480e49dc481d9c665e961ab709c02
> Cr-Commit-Position: refs/heads/master@{#32514}

TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425, chromium:564498

Review URL: https://codereview.chromium.org/1492823002

Cr-Commit-Position: refs/heads/master@{#32520}

This reverts commit d4fc4a8c.

1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
    store buffer.
3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4.  The current mark-sweep finishes. The slot X is in free space and is also in
    the store buffer.
5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
    looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
    previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
    object before.
6.  Scavenge happens.
7.  Slot X is still in free space and in store buffer. [It causes scavenge of
    the object Y in
    store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
    it is not important].
8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
    is written in X.
9.  The scavenge finishes.
9.  Another scavenge starts.
10. We crash in
    store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
    processing slot X, because it doesn't point to valid map.

BUG=chromium:524425, chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/1494503004

Cr-Commit-Position: refs/heads/master@{#32514}

Revert of [heap] Clean up stale store buffer entries for aborted pages. (patchset #4 id:60001 of https://codereview.chromium.org/1493653002/ )

Reason for revert:
Not completely correct fix.

Original issue's description:
> [heap] Clean up stale store buffer entries for aborted pages.
>
> 1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
>     store buffer.
> 3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4.  The current mark-sweep finishes. The slot X is in free space and is also in
>     the store buffer.
> 5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
>     looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
>     previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
>     object before.
> 6.  Scavenge happens.
> 7.  Slot X is still in free space and in store buffer. [It causes scavenge of
>     the object Y in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
>     it is not important].
> 8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
>     is written in X.
> 9.  The scavenge finishes.
> 9.  Another scavenge starts.
> 10. We crash in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
>     processing slot X, because it doesn't point to valid map.
>
> BUG=chromium:524425,chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572
> Cr-Commit-Position: refs/heads/master@{#32495}

TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425,chromium:564498

Review URL: https://codereview.chromium.org/1489243004

Cr-Commit-Position: refs/heads/master@{#32504}

Reland of [heap] Cleanup mark bit usage. (patchset #1 id:1 of https://codereview.chromium.org/1490753003/ )

Reason for revert:
Reland after fixing the potential root cause of the canary crasher.

Original issue's description:
> Revert of [heap] Cleanup mark bit usage. (patchset #1 id:1 of https://codereview.chromium.org/1474203003/ )
>
> Reason for revert:
> Still investigating bad canary.
>
> Original issue's description:
> > [heap] Cleanup mark bit usage.
> >
> > BUG=
> >
> > Committed: https://crrev.com/5874ac783ff9bc4bb4b2fda81f5077f06619f96c
> > Cr-Commit-Position: refs/heads/master@{#32362}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/d3faef8658598e68331208b5a1846ac1c250cb49
> Cr-Commit-Position: refs/heads/master@{#32461}

TBR=mlippautz@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1488393003

Cr-Commit-Position: refs/heads/master@{#32502}