src/heap · 51e6ecb9dfae93894863a9e21f14258b6b7909f7 · Linshizhi / V8

Reland "Fix invalidation of old-to-old slots after object trimming." · 51e6ecb9

Ulan Degenbaev authored Aug 10, 2018

This reverts commit 5b434929.

Changes after the original CL:
- Right-trimming registers the array as an object with invalidated
  slots.
- Left-trimming moves the array start in the invalidated slots map.

Original change's description:
> Fix invalidation of old-to-old slots after object trimming.
>
> A recorded old-to-old slot may be overwritten with a pointer to a new
> space object. If the object containing the slot is trimmed later on,
> then the mark-compactor may crash on a stale pointer to new space.
>
> This patch ensures that:
> 1) On trimming of an object we add it to the invalidated_slots sets.
> 2) The InvalidatedSlotsFilter::IsValid returns false for slots outside
>    the invalidated object unless the page was already swept.
>
> Array left-trimming is handled as a special case because object start
> moves and cannot be added to the invalidated set. Instead, we clear
> the freed memory so that the recorded slots contain Smi values.
>
> Bug: chromium:870226,chromium:816426
> Change-Id: Iffc05a58fcf52ece45fdb085b5d1fd4b3acb5d53
> Reviewed-on: https://chromium-review.googlesource.com/1163784
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54953}

Change-Id: I1f1080f680196c581f62aef8d3a00a595f9bb9b0
Reviewed-on: https://chromium-review.googlesource.com/1165555
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55066}

51e6ecb9

Name	Last commit	Last update
..
OWNERS		Loading commit data...
array-buffer-collector.cc		Loading commit data...
array-buffer-collector.h		Loading commit data...
array-buffer-tracker-inl.h		Loading commit data...
array-buffer-tracker.cc		Loading commit data...
array-buffer-tracker.h		Loading commit data...
barrier.h		Loading commit data...
code-stats.cc		Loading commit data...
code-stats.h		Loading commit data...
concurrent-marking.cc		Loading commit data...
concurrent-marking.h		Loading commit data...
embedder-tracing.cc		Loading commit data...
embedder-tracing.h		Loading commit data...
factory-inl.h		Loading commit data...
factory.cc		Loading commit data...
factory.h		Loading commit data...
gc-idle-time-handler.cc		Loading commit data...
gc-idle-time-handler.h		Loading commit data...
gc-tracer.cc		Loading commit data...
gc-tracer.h		Loading commit data...
heap-controller.cc		Loading commit data...
heap-controller.h		Loading commit data...
heap-inl.h		Loading commit data...
heap-write-barrier-inl.h		Loading commit data...
heap-write-barrier.h		Loading commit data...
heap.cc		Loading commit data...
heap.h		Loading commit data...
incremental-marking-inl.h		Loading commit data...
incremental-marking-job.cc		Loading commit data...
incremental-marking-job.h		Loading commit data...
incremental-marking.cc		Loading commit data...
incremental-marking.h		Loading commit data...
invalidated-slots-inl.h		Loading commit data...
invalidated-slots.cc		Loading commit data...
invalidated-slots.h		Loading commit data...
item-parallel-job.cc		Loading commit data...
item-parallel-job.h		Loading commit data...
local-allocator-inl.h		Loading commit data...
local-allocator.h		Loading commit data...
mark-compact-inl.h		Loading commit data...
mark-compact.cc		Loading commit data...
mark-compact.h		Loading commit data...
marking.cc		Loading commit data...
marking.h		Loading commit data...
memory-reducer.cc		Loading commit data...
memory-reducer.h		Loading commit data...
object-stats.cc		Loading commit data...
object-stats.h		Loading commit data...
objects-visiting-inl.h		Loading commit data...
objects-visiting.cc		Loading commit data...
objects-visiting.h		Loading commit data...
remembered-set.h		Loading commit data...
scavenge-job.cc		Loading commit data...
scavenge-job.h		Loading commit data...
scavenger-inl.h		Loading commit data...
scavenger.cc		Loading commit data...
scavenger.h		Loading commit data...
setup-heap-internal.cc		Loading commit data...
slot-set.h		Loading commit data...
spaces-inl.h		Loading commit data...
spaces.cc		Loading commit data...
spaces.h		Loading commit data...
store-buffer-inl.h		Loading commit data...
store-buffer.cc		Loading commit data...
store-buffer.h		Loading commit data...
stress-marking-observer.cc		Loading commit data...
stress-marking-observer.h		Loading commit data...
stress-scavenge-observer.cc		Loading commit data...
stress-scavenge-observer.h		Loading commit data...
sweeper.cc		Loading commit data...
sweeper.h		Loading commit data...
worklist.h		Loading commit data...