src · de672226c7554213221ffe5a049733bad6a68e90 · Linshizhi / V8

Clear old backing store of WeakCollection on updates. · de672226

ulan@chromium.org authored Oct 31, 2014

Not clearing can lead to a crash under following conditions:
1. Backing store of a weak map is allocated in large object space.
2. The backing store is marked incrementaly via the weak map.
3. The weak map is updated and gets a new backing store.
4. The store buffer overflows and marks the chunk of the old backing store as
"scan on scavenge."
5. Mark-compact collection kills some elements of the weak map. Note that the
old backing store survives because it was marked incrementally, but its dead
elements are not cleared.
6. Scavenger iterates over the old backing store, tries to move a dead object
and crashes.

BUG=v8:3631
LOG=N
TEST=cctest/test-heap/Regress3631
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/686783003

Cr-Commit-Position: refs/heads/master@{#25032}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25032 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

de672226

Name	Last commit	Last update
..
arm		Loading commit data...
arm64		Loading commit data...
base		Loading commit data...
compiler		Loading commit data...
extensions		Loading commit data...
heap		Loading commit data...
ia32		Loading commit data...
ic		Loading commit data...
libplatform		Loading commit data...
mips		Loading commit data...
mips64		Loading commit data...
runtime		Loading commit data...
third_party		Loading commit data...
x64		Loading commit data...
x87		Loading commit data...
DEPS		Loading commit data...
OWNERS		Loading commit data...
accessors.cc		Loading commit data...
accessors.h		Loading commit data...
allocation-site-scopes.cc		Loading commit data...
allocation-site-scopes.h		Loading commit data...
allocation-tracker.cc		Loading commit data...
allocation-tracker.h		Loading commit data...
allocation.cc		Loading commit data...
allocation.h		Loading commit data...
api.cc		Loading commit data...
api.h		Loading commit data...
apinatives.js		Loading commit data...
arguments.cc		Loading commit data...
arguments.h		Loading commit data...
array-iterator.js		Loading commit data...
array.js		Loading commit data...
arraybuffer.js		Loading commit data...
assembler.cc		Loading commit data...
assembler.h		Loading commit data...
assert-scope.cc		Loading commit data...
assert-scope.h		Loading commit data...
ast-numbering.cc		Loading commit data...
ast-numbering.h		Loading commit data...
ast-value-factory.cc		Loading commit data...
ast-value-factory.h		Loading commit data...
ast.cc		Loading commit data...
ast.h		Loading commit data...
background-parsing-task.cc		Loading commit data...
background-parsing-task.h		Loading commit data...
bailout-reason.cc		Loading commit data...
bailout-reason.h		Loading commit data...
basic-block-profiler.cc		Loading commit data...
basic-block-profiler.h		Loading commit data...
bignum-dtoa.cc		Loading commit data...
bignum-dtoa.h		Loading commit data...
bignum.cc		Loading commit data...
bignum.h		Loading commit data...
bit-vector.cc		Loading commit data...
bit-vector.h		Loading commit data...
bootstrapper.cc		Loading commit data...
bootstrapper.h		Loading commit data...
builtins.cc		Loading commit data...
builtins.h		Loading commit data...
bytecodes-irregexp.h		Loading commit data...
cached-powers.cc		Loading commit data...
cached-powers.h		Loading commit data...
char-predicates-inl.h		Loading commit data...
char-predicates.cc		Loading commit data...
char-predicates.h		Loading commit data...
checks.cc		Loading commit data...
checks.h		Loading commit data...
circular-queue-inl.h		Loading commit data...
circular-queue.h		Loading commit data...
code-factory.cc		Loading commit data...
code-factory.h		Loading commit data...
code-stubs-hydrogen.cc		Loading commit data...
code-stubs.cc		Loading commit data...
code-stubs.h		Loading commit data...
code.h		Loading commit data...
codegen.cc		Loading commit data...
codegen.h		Loading commit data...
collection-iterator.js		Loading commit data...
collection.js		Loading commit data...
compilation-cache.cc		Loading commit data...
compilation-cache.h		Loading commit data...
compilation-statistics.cc		Loading commit data...
compilation-statistics.h		Loading commit data...
compiler.cc		Loading commit data...
compiler.h		Loading commit data...
contexts.cc		Loading commit data...
contexts.h		Loading commit data...
conversions-inl.h		Loading commit data...
conversions.cc		Loading commit data...
conversions.h		Loading commit data...
counters.cc		Loading commit data...
counters.h		Loading commit data...
cpu-profiler-inl.h		Loading commit data...
cpu-profiler.cc		Loading commit data...
cpu-profiler.h		Loading commit data...
d8-debug.cc		Loading commit data...
d8-debug.h		Loading commit data...
d8-posix.cc		Loading commit data...
d8-readline.cc		Loading commit data...
d8-windows.cc		Loading commit data...
d8.cc		Loading commit data...
d8.gyp		Loading commit data...
d8.h		Loading commit data...
d8.js		Loading commit data...
date.cc		Loading commit data...
date.h		Loading commit data...
date.js		Loading commit data...
dateparser-inl.h		Loading commit data...
dateparser.cc		Loading commit data...
dateparser.h		Loading commit data...
debug-debugger.js		Loading commit data...
debug.cc		Loading commit data...
debug.h		Loading commit data...
deoptimizer.cc		Loading commit data...
deoptimizer.h		Loading commit data...
disasm.h		Loading commit data...
disassembler.cc		Loading commit data...
disassembler.h		Loading commit data...
diy-fp.cc		Loading commit data...
diy-fp.h		Loading commit data...
double.h		Loading commit data...
dtoa.cc		Loading commit data...
dtoa.h		Loading commit data...
effects.h		Loading commit data...
elements-kind.cc		Loading commit data...
elements-kind.h		Loading commit data...
elements.cc		Loading commit data...
elements.h		Loading commit data...
execution.cc		Loading commit data...
execution.h		Loading commit data...
factory.cc		Loading commit data...
factory.h		Loading commit data...
fast-dtoa.cc		Loading commit data...
fast-dtoa.h		Loading commit data...
field-index-inl.h		Loading commit data...
field-index.h		Loading commit data...
fixed-dtoa.cc		Loading commit data...
fixed-dtoa.h		Loading commit data...
flag-definitions.h		Loading commit data...
flags.cc		Loading commit data...
flags.h		Loading commit data...
frames-inl.h		Loading commit data...
frames.cc		Loading commit data...
frames.h		Loading commit data...
full-codegen.cc		Loading commit data...
full-codegen.h		Loading commit data...
func-name-inferrer.cc		Loading commit data...
func-name-inferrer.h		Loading commit data...
gdb-jit.cc		Loading commit data...
gdb-jit.h		Loading commit data...
generator.js		Loading commit data...
global-handles.cc		Loading commit data...
global-handles.h		Loading commit data...
globals.h		Loading commit data...
handles-inl.h		Loading commit data...
handles.cc		Loading commit data...
handles.h		Loading commit data...
harmony-array.js		Loading commit data...
harmony-classes.js		Loading commit data...
harmony-string.js		Loading commit data...
harmony-tostring.js		Loading commit data...
harmony-typedarray.js		Loading commit data...
hashmap.h		Loading commit data...
heap-profiler.cc		Loading commit data...
heap-profiler.h		Loading commit data...
heap-snapshot-generator-inl.h		Loading commit data...
heap-snapshot-generator.cc		Loading commit data...
heap-snapshot-generator.h		Loading commit data...
hydrogen-alias-analysis.h		Loading commit data...
hydrogen-bce.cc		Loading commit data...
hydrogen-bce.h		Loading commit data...
hydrogen-bch.cc		Loading commit data...
hydrogen-bch.h		Loading commit data...
hydrogen-canonicalize.cc		Loading commit data...
hydrogen-canonicalize.h		Loading commit data...
hydrogen-check-elimination.cc		Loading commit data...
hydrogen-check-elimination.h		Loading commit data...
hydrogen-dce.cc		Loading commit data...
hydrogen-dce.h		Loading commit data...
hydrogen-dehoist.cc		Loading commit data...
hydrogen-dehoist.h		Loading commit data...
hydrogen-environment-liveness.cc		Loading commit data...
hydrogen-environment-liveness.h		Loading commit data...
hydrogen-escape-analysis.cc		Loading commit data...
hydrogen-escape-analysis.h		Loading commit data...
hydrogen-flow-engine.h		Loading commit data...
hydrogen-gvn.cc		Loading commit data...
hydrogen-gvn.h		Loading commit data...
hydrogen-infer-representation.cc		Loading commit data...
hydrogen-infer-representation.h		Loading commit data...
hydrogen-infer-types.cc		Loading commit data...
hydrogen-infer-types.h		Loading commit data...
hydrogen-instructions.cc		Loading commit data...
hydrogen-instructions.h		Loading commit data...
hydrogen-load-elimination.cc		Loading commit data...
hydrogen-load-elimination.h		Loading commit data...
hydrogen-mark-deoptimize.cc		Loading commit data...
hydrogen-mark-deoptimize.h		Loading commit data...
hydrogen-mark-unreachable.cc		Loading commit data...
hydrogen-mark-unreachable.h		Loading commit data...
hydrogen-osr.cc		Loading commit data...
hydrogen-osr.h		Loading commit data...
hydrogen-range-analysis.cc		Loading commit data...
hydrogen-range-analysis.h		Loading commit data...
hydrogen-redundant-phi.cc		Loading commit data...
hydrogen-redundant-phi.h		Loading commit data...
hydrogen-removable-simulates.cc		Loading commit data...
hydrogen-removable-simulates.h		Loading commit data...
hydrogen-representation-changes.cc		Loading commit data...
hydrogen-representation-changes.h		Loading commit data...
hydrogen-sce.cc		Loading commit data...
hydrogen-sce.h		Loading commit data...
hydrogen-store-elimination.cc		Loading commit data...
hydrogen-store-elimination.h		Loading commit data...
hydrogen-types.cc		Loading commit data...
hydrogen-types.h		Loading commit data...
hydrogen-uint32-analysis.cc		Loading commit data...
hydrogen-uint32-analysis.h		Loading commit data...
hydrogen.cc		Loading commit data...
hydrogen.h		Loading commit data...
i18n.cc		Loading commit data...
i18n.h		Loading commit data...
i18n.js		Loading commit data...
icu_util.cc		Loading commit data...
icu_util.h		Loading commit data...
interface-descriptors.cc		Loading commit data...
interface-descriptors.h		Loading commit data...
interface.cc		Loading commit data...
interface.h		Loading commit data...
interpreter-irregexp.cc		Loading commit data...
interpreter-irregexp.h		Loading commit data...
isolate-inl.h		Loading commit data...
isolate.cc		Loading commit data...
isolate.h		Loading commit data...
json-parser.h		Loading commit data...
json-stringifier.h		Loading commit data...
json.js		Loading commit data...
jsregexp-inl.h		Loading commit data...
jsregexp.cc		Loading commit data...
jsregexp.h		Loading commit data...
list-inl.h		Loading commit data...
list.h		Loading commit data...
lithium-allocator-inl.h		Loading commit data...
lithium-allocator.cc		Loading commit data...
lithium-allocator.h		Loading commit data...
lithium-codegen.cc		Loading commit data...
lithium-codegen.h		Loading commit data...
lithium-inl.h		Loading commit data...
lithium.cc		Loading commit data...
lithium.h		Loading commit data...
liveedit-debugger.js		Loading commit data...
liveedit.cc		Loading commit data...
liveedit.h		Loading commit data...
log-inl.h		Loading commit data...
log-utils.cc		Loading commit data...
log-utils.h		Loading commit data...
log.cc		Loading commit data...
log.h		Loading commit data...
lookup-inl.h		Loading commit data...
lookup.cc		Loading commit data...
lookup.h		Loading commit data...
macro-assembler.h		Loading commit data...
macros.py		Loading commit data...
math.js		Loading commit data...
messages.cc		Loading commit data...
messages.h		Loading commit data...
messages.js		Loading commit data...
mirror-debugger.js		Loading commit data...
mksnapshot.cc		Loading commit data...
msan.h		Loading commit data...
natives-external.cc		Loading commit data...
natives.h		Loading commit data...
object-observe.js		Loading commit data...
objects-debug.cc		Loading commit data...
objects-inl.h		Loading commit data...
objects-printer.cc		Loading commit data...
objects.cc		Loading commit data...
objects.h		Loading commit data...
optimizing-compiler-thread.cc		Loading commit data...
optimizing-compiler-thread.h		Loading commit data...
ostreams.cc		Loading commit data...
ostreams.h		Loading commit data...
parser.cc		Loading commit data...
parser.h		Loading commit data...
perf-jit.cc		Loading commit data...
perf-jit.h		Loading commit data...
preparse-data-format.h		Loading commit data...
preparse-data.cc		Loading commit data...
preparse-data.h		Loading commit data...
preparser.cc		Loading commit data...
preparser.h		Loading commit data...
prettyprinter.cc		Loading commit data...
prettyprinter.h		Loading commit data...
profile-generator-inl.h		Loading commit data...
profile-generator.cc		Loading commit data...
profile-generator.h		Loading commit data...
promise.js		Loading commit data...
property-details-inl.h		Loading commit data...
property-details.h		Loading commit data...
property.cc		Loading commit data...
property.h		Loading commit data...
prototype.h		Loading commit data...
proxy.js		Loading commit data...
regexp-macro-assembler-irregexp-inl.h		Loading commit data...
regexp-macro-assembler-irregexp.cc		Loading commit data...
regexp-macro-assembler-irregexp.h		Loading commit data...
regexp-macro-assembler-tracer.cc		Loading commit data...
regexp-macro-assembler-tracer.h		Loading commit data...
regexp-macro-assembler.cc		Loading commit data...
regexp-macro-assembler.h		Loading commit data...
regexp-stack.cc		Loading commit data...
regexp-stack.h		Loading commit data...
regexp.js		Loading commit data...
rewriter.cc		Loading commit data...
rewriter.h		Loading commit data...
runtime-profiler.cc		Loading commit data...
runtime-profiler.h		Loading commit data...
runtime.js		Loading commit data...
safepoint-table.cc		Loading commit data...
safepoint-table.h		Loading commit data...
sampler.cc		Loading commit data...
sampler.h		Loading commit data...
scanner-character-streams.cc		Loading commit data...
scanner-character-streams.h		Loading commit data...
scanner.cc		Loading commit data...
scanner.h		Loading commit data...
scopeinfo.cc		Loading commit data...
scopeinfo.h		Loading commit data...
scopes.cc		Loading commit data...
scopes.h		Loading commit data...
serialize.cc		Loading commit data...
serialize.h		Loading commit data...
simulator.h		Loading commit data...
small-pointer-list.h		Loading commit data...
smart-pointers.h		Loading commit data...
snapshot-common.cc		Loading commit data...
snapshot-empty.cc		Loading commit data...
snapshot-external.cc		Loading commit data...
snapshot-source-sink.cc		Loading commit data...
snapshot-source-sink.h		Loading commit data...
snapshot.h		Loading commit data...
splay-tree-inl.h		Loading commit data...
splay-tree.h		Loading commit data...
string-iterator.js		Loading commit data...
string-search.cc		Loading commit data...
string-search.h		Loading commit data...
string-stream.cc		Loading commit data...
string-stream.h		Loading commit data...
string.js		Loading commit data...
strtod.cc		Loading commit data...
strtod.h		Loading commit data...
symbol.js		Loading commit data...
token.cc		Loading commit data...
token.h		Loading commit data...
transitions-inl.h		Loading commit data...
transitions.cc		Loading commit data...
transitions.h		Loading commit data...
type-feedback-vector-inl.h		Loading commit data...
type-feedback-vector.cc		Loading commit data...
type-feedback-vector.h		Loading commit data...
type-info.cc		Loading commit data...
type-info.h		Loading commit data...
typedarray.js		Loading commit data...
types-inl.h		Loading commit data...
types.cc		Loading commit data...
types.h		Loading commit data...
typing.cc		Loading commit data...
typing.h		Loading commit data...
unbound-queue-inl.h		Loading commit data...
unbound-queue.h		Loading commit data...
unicode-decoder.cc		Loading commit data...
unicode-decoder.h		Loading commit data...
unicode-inl.h		Loading commit data...
unicode.cc		Loading commit data...
unicode.h		Loading commit data...
unique.h		Loading commit data...
uri.js		Loading commit data...
utils-inl.h		Loading commit data...
utils.cc		Loading commit data...
utils.h		Loading commit data...
v8.cc		Loading commit data...
v8.h		Loading commit data...
v8dll-main.cc		Loading commit data...
v8memory.h		Loading commit data...
v8natives.js		Loading commit data...
v8threads.cc		Loading commit data...
v8threads.h		Loading commit data...
variables.cc		Loading commit data...
variables.h		Loading commit data...
vector.h		Loading commit data...
version.cc		Loading commit data...
version.h		Loading commit data...
vm-state-inl.h		Loading commit data...
vm-state.h		Loading commit data...
weak-collection.js		Loading commit data...
zone-allocator.h		Loading commit data...
zone-containers.h		Loading commit data...
zone-inl.h		Loading commit data...
zone.cc		Loading commit data...
zone.h		Loading commit data...