-
Ulan Degenbaev authored
Empty slot set buckets can leak in the following scenarios. Scenario 1 (large object space): 1) A large array is allocated in the large object space. 2) The array is filled with old->new references, which allocates new slot set buckets. 3) The references are overwritten with smis or old space pointers, which make the slots set buckets empty. 4) Garbage collection (scavenge or mark-compact) iterates the slots set of the array and pre-frees the empty buckets. 5) Steps 2-4 repeated many times and leak arbitary many empty buckets. The fix to free empty buckets for large object space in mark-compact. Scenario 2 (no mark-compact): 1) A small array is allocated in the old space. 2) The array is filled with old->new references, which allocates new slot set buckets. 3) The references are overwritten with smis or old space pointers, which make the slots set buckets empty. 4) Scavenge iterates the slots set of the array and pre-frees the empty buckets. 5) Steps 2-4 repeated many times and leak arbitary many empty buckets. The fix to free empty buckets for swept pages in scavenger. Bug: v8:6800 TBR: mlippautz@chromium.org Change-Id: I48d94870f5acf4f6208858271886911c895a9126 Reviewed-on: https://chromium-review.googlesource.com/668442Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#48041}
163d3604
