deps: backport 7a88ff3 from V8 upstream

This backport does not include the changes to `src/heap/scavenger.cc` as it does not exist in the V8 included in the v4.x stream. Original commit message: Filter out stale left-trimmed handles for scavenges The missing part from https://codereview.chromium.org/2078403002/ R=jochen@chromium.org BUG=chromium:621869 LOG=N Review-Url: https://codereview.chromium.org/2077353004 Cr-Commit-Position: refs/heads/master@{#37184} PR-URL: #10668 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
nodejs · Feb 1, 2017 · ce66c8e · ce66c8e
1 parent 8bd3d83
commit ce66c8e
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 28 deletions.
diff --git a/deps/v8/src/heap/heap-inl.h b/deps/v8/src/heap/heap-inl.h
@@ -393,12 +393,35 @@ bool Heap::AllowedToBeMigrated(HeapObject* obj, AllocationSpace dst) {
  return false;
 }
 
-
 void Heap::CopyBlock(Address dst, Address src, int byte_size) {
  CopyWords(reinterpret_cast<Object**>(dst), reinterpret_cast<Object**>(src),
  static_cast<size_t>(byte_size / kPointerSize));
 }
 
+bool Heap::PurgeLeftTrimmedObject(Object** object) {
+ HeapObject* current = reinterpret_cast<HeapObject*>(*object);
+ const MapWord map_word = current->map_word();
+ if (current->IsFiller() && !map_word.IsForwardingAddress()) {
+#ifdef DEBUG
+ // We need to find a FixedArrayBase map after walking the fillers.
+ while (current->IsFiller()) {
+ Address next = reinterpret_cast<Address>(current);
+ if (current->map() == one_pointer_filler_map()) {
+ next += kPointerSize;
+ } else if (current->map() == two_pointer_filler_map()) {
+ next += 2 * kPointerSize;
+ } else {
+ next += current->Size();
+ }
+ current = reinterpret_cast<HeapObject*>(next);
+ }
+ DCHECK(current->IsFixedArrayBase());
+#endif // DEBUG
+ *object = nullptr;
+ return true;
+ }
+ return false;
+}
 
 void Heap::MoveBlock(Address dst, Address src, int byte_size) {
  DCHECK(IsAligned(byte_size, kPointerSize));

diff --git a/deps/v8/src/heap/heap.h b/deps/v8/src/heap/heap.h
@@ -590,6 +590,12 @@ class Heap {
  // jslimit_/real_jslimit_ variable in the StackGuard.
  void SetStackLimits();
 
+ // We cannot avoid stale handles to left-trimmed objects, but can only make
+ // sure all handles still needed are updated. Filter out a stale pointer
+ // and clear the slot to allow post processing of handles (needed because
+ // the sweeper might actually free the underlying page).
+ inline bool PurgeLeftTrimmedObject(Object** object);
+
  // Notifies the heap that is ok to start marking or other activities that
  // should not happen during deserialization.
  void NotifyDeserializationComplete();

diff --git a/deps/v8/src/heap/mark-compact.cc b/deps/v8/src/heap/mark-compact.cc
@@ -1650,31 +1650,7 @@ class RootMarkingVisitor : public ObjectVisitor {
 
  HeapObject* object = ShortCircuitConsString(p);
 
- // We cannot avoid stale handles to left-trimmed objects, but can only make
- // sure all handles still needed are updated. Filter out any stale pointers
- // and clear the slot to allow post processing of handles (needed because
- // the sweeper might actually free the underlying page).
- if (object->IsFiller()) {
-#ifdef DEBUG
- // We need to find a FixedArrayBase map after walking the fillers.
- Heap* heap = collector_->heap();
- HeapObject* current = object;
- while (current->IsFiller()) {
- Address next = reinterpret_cast<Address>(current);
- if (current->map() == heap->one_pointer_filler_map()) {
- next += kPointerSize;
- } else if (current->map() == heap->two_pointer_filler_map()) {
- next += 2 * kPointerSize;
- } else {
- next += current->Size();
- }
- current = reinterpret_cast<HeapObject*>(next);
- }
- DCHECK(current->IsFixedArrayBase());
-#endif // DEBUG
- *p = nullptr;
- return;
- }
+ if (collector_->heap()->PurgeLeftTrimmedObject(p)) return;
 
  MarkBit mark_bit = Marking::MarkBitFrom(object);
  if (Marking::IsBlackOrGrey(mark_bit)) return;

diff --git a/deps/v8/src/objects-inl.h b/deps/v8/src/objects-inl.h
@@ -1351,7 +1351,7 @@ Map* MapWord::ToMap() {
 }
 
 
-bool MapWord::IsForwardingAddress() {
+bool MapWord::IsForwardingAddress() const {
  return HAS_SMI_TAG(reinterpret_cast<Object*>(value_));
 }
 

diff --git a/deps/v8/src/objects.h b/deps/v8/src/objects.h
@@ -1382,7 +1382,7 @@ class MapWord BASE_EMBEDDED {
  // True if this map word is a forwarding address for a scavenge
  // collection. Only valid during a scavenge collection (specifically,
  // when all map words are heap object pointers, i.e. not during a full GC).
- inline bool IsForwardingAddress();
+ inline bool IsForwardingAddress() const;
 
  // Create a map word from a forwarding address.
  static inline MapWord FromForwardingAddress(HeapObject* object);

diff --git a/deps/v8/test/mjsunit/regress/regress-621869.js b/deps/v8/test/mjsunit/regress/regress-621869.js
@@ -0,0 +1,18 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+var o0 = [];
+var o1 = [];
+var cnt = 0;
+var only_scavenge = true;
+o1.__defineGetter__(0, function() {
+ if (cnt++ > 2) return;
+ o0.shift();
+ gc(only_scavenge);
+ o0.push((64));
+ o0.concat(o1);
+});
+o1[0];