Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 8bd3d83

Browse filesBrowse files
MylesBorinsMylesBorins
committed
deps: backport d800a65 from V8 upstream
This backport does not include the original changes to SLOW_DCHECK as it does not exist in the V8 in node v4.x Original commit message: Filter out stale left-trimmed handles BUG=chromium:620553 LOG=N R=jochen@chromium.org Review-Url: https://codereview.chromium.org/2078403002 Cr-Commit-Position: refs/heads/master@{#37108} PR-URL: #10668 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
1 parent 81e9a3b commit 8bd3d83
Copy full SHA for 8bd3d83

File tree

Expand file treeCollapse file tree

2 files changed

+44
-1
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+44
-1
lines changed
Open diff view settings
Collapse file

‎deps/v8/src/heap/mark-compact.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/heap/mark-compact.cc
+27-1Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1648,8 +1648,34 @@ class RootMarkingVisitor : public ObjectVisitor {
16481648
void MarkObjectByPointer(Object** p) {
16491649
if (!(*p)->IsHeapObject()) return;
16501650

1651-
// Replace flat cons strings in place.
16521651
HeapObject* object = ShortCircuitConsString(p);
1652+
1653+
// We cannot avoid stale handles to left-trimmed objects, but can only make
1654+
// sure all handles still needed are updated. Filter out any stale pointers
1655+
// and clear the slot to allow post processing of handles (needed because
1656+
// the sweeper might actually free the underlying page).
1657+
if (object->IsFiller()) {
1658+
#ifdef DEBUG
1659+
// We need to find a FixedArrayBase map after walking the fillers.
1660+
Heap* heap = collector_->heap();
1661+
HeapObject* current = object;
1662+
while (current->IsFiller()) {
1663+
Address next = reinterpret_cast<Address>(current);
1664+
if (current->map() == heap->one_pointer_filler_map()) {
1665+
next += kPointerSize;
1666+
} else if (current->map() == heap->two_pointer_filler_map()) {
1667+
next += 2 * kPointerSize;
1668+
} else {
1669+
next += current->Size();
1670+
}
1671+
current = reinterpret_cast<HeapObject*>(next);
1672+
}
1673+
DCHECK(current->IsFixedArrayBase());
1674+
#endif // DEBUG
1675+
*p = nullptr;
1676+
return;
1677+
}
1678+
16531679
MarkBit mark_bit = Marking::MarkBitFrom(object);
16541680
if (Marking::IsBlackOrGrey(mark_bit)) return;
16551681

Collapse file

‎deps/v8/test/mjsunit/regress/regress-620553.js‎

Copy file name to clipboard
+17Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
// Copyright 2016 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Flags: --expose-gc
6+
7+
var o0 = [];
8+
var o1 = [];
9+
var cnt = 0;
10+
o1.__defineGetter__(0, function() {
11+
if (cnt++ > 2) return;
12+
o0.shift();
13+
gc();
14+
o0.push(0);
15+
o0.concat(o1);
16+
});
17+
o1[0];

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.