Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit ce66c8e

Browse filesBrowse files
MylesBorinsMylesBorins
committed
deps: backport 7a88ff3 from V8 upstream
This backport does not include the changes to `src/heap/scavenger.cc` as it does not exist in the V8 included in the v4.x stream. Original commit message: Filter out stale left-trimmed handles for scavenges The missing part from https://codereview.chromium.org/2078403002/ R=jochen@chromium.org BUG=chromium:621869 LOG=N Review-Url: https://codereview.chromium.org/2077353004 Cr-Commit-Position: refs/heads/master@{#37184} PR-URL: #10668 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
1 parent 8bd3d83 commit ce66c8e
Copy full SHA for ce66c8e

File tree

Expand file treeCollapse file tree

6 files changed

+51
-28
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

6 files changed

+51
-28
lines changed
Open diff view settings
Collapse file

‎deps/v8/src/heap/heap-inl.h‎

Copy file name to clipboardExpand all lines: deps/v8/src/heap/heap-inl.h
+24-1Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -393,12 +393,35 @@ bool Heap::AllowedToBeMigrated(HeapObject* obj, AllocationSpace dst) {
393393
return false;
394394
}
395395

396-
397396
void Heap::CopyBlock(Address dst, Address src, int byte_size) {
398397
CopyWords(reinterpret_cast<Object**>(dst), reinterpret_cast<Object**>(src),
399398
static_cast<size_t>(byte_size / kPointerSize));
400399
}
401400

401+
bool Heap::PurgeLeftTrimmedObject(Object** object) {
402+
HeapObject* current = reinterpret_cast<HeapObject*>(*object);
403+
const MapWord map_word = current->map_word();
404+
if (current->IsFiller() && !map_word.IsForwardingAddress()) {
405+
#ifdef DEBUG
406+
// We need to find a FixedArrayBase map after walking the fillers.
407+
while (current->IsFiller()) {
408+
Address next = reinterpret_cast<Address>(current);
409+
if (current->map() == one_pointer_filler_map()) {
410+
next += kPointerSize;
411+
} else if (current->map() == two_pointer_filler_map()) {
412+
next += 2 * kPointerSize;
413+
} else {
414+
next += current->Size();
415+
}
416+
current = reinterpret_cast<HeapObject*>(next);
417+
}
418+
DCHECK(current->IsFixedArrayBase());
419+
#endif // DEBUG
420+
*object = nullptr;
421+
return true;
422+
}
423+
return false;
424+
}
402425

403426
void Heap::MoveBlock(Address dst, Address src, int byte_size) {
404427
DCHECK(IsAligned(byte_size, kPointerSize));
Collapse file

‎deps/v8/src/heap/heap.h‎

Copy file name to clipboardExpand all lines: deps/v8/src/heap/heap.h
+6Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -590,6 +590,12 @@ class Heap {
590590
// jslimit_/real_jslimit_ variable in the StackGuard.
591591
void SetStackLimits();
592592

593+
// We cannot avoid stale handles to left-trimmed objects, but can only make
594+
// sure all handles still needed are updated. Filter out a stale pointer
595+
// and clear the slot to allow post processing of handles (needed because
596+
// the sweeper might actually free the underlying page).
597+
inline bool PurgeLeftTrimmedObject(Object** object);
598+
593599
// Notifies the heap that is ok to start marking or other activities that
594600
// should not happen during deserialization.
595601
void NotifyDeserializationComplete();
Collapse file

‎deps/v8/src/heap/mark-compact.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/heap/mark-compact.cc
+1-25Lines changed: 1 addition & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1650,31 +1650,7 @@ class RootMarkingVisitor : public ObjectVisitor {
16501650

16511651
HeapObject* object = ShortCircuitConsString(p);
16521652

1653-
// We cannot avoid stale handles to left-trimmed objects, but can only make
1654-
// sure all handles still needed are updated. Filter out any stale pointers
1655-
// and clear the slot to allow post processing of handles (needed because
1656-
// the sweeper might actually free the underlying page).
1657-
if (object->IsFiller()) {
1658-
#ifdef DEBUG
1659-
// We need to find a FixedArrayBase map after walking the fillers.
1660-
Heap* heap = collector_->heap();
1661-
HeapObject* current = object;
1662-
while (current->IsFiller()) {
1663-
Address next = reinterpret_cast<Address>(current);
1664-
if (current->map() == heap->one_pointer_filler_map()) {
1665-
next += kPointerSize;
1666-
} else if (current->map() == heap->two_pointer_filler_map()) {
1667-
next += 2 * kPointerSize;
1668-
} else {
1669-
next += current->Size();
1670-
}
1671-
current = reinterpret_cast<HeapObject*>(next);
1672-
}
1673-
DCHECK(current->IsFixedArrayBase());
1674-
#endif // DEBUG
1675-
*p = nullptr;
1676-
return;
1677-
}
1653+
if (collector_->heap()->PurgeLeftTrimmedObject(p)) return;
16781654

16791655
MarkBit mark_bit = Marking::MarkBitFrom(object);
16801656
if (Marking::IsBlackOrGrey(mark_bit)) return;
Collapse file

‎deps/v8/src/objects-inl.h‎

Copy file name to clipboardExpand all lines: deps/v8/src/objects-inl.h
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1351,7 +1351,7 @@ Map* MapWord::ToMap() {
13511351
}
13521352

13531353

1354-
bool MapWord::IsForwardingAddress() {
1354+
bool MapWord::IsForwardingAddress() const {
13551355
return HAS_SMI_TAG(reinterpret_cast<Object*>(value_));
13561356
}
13571357

Collapse file

‎deps/v8/src/objects.h‎

Copy file name to clipboardExpand all lines: deps/v8/src/objects.h
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1382,7 +1382,7 @@ class MapWord BASE_EMBEDDED {
13821382
// True if this map word is a forwarding address for a scavenge
13831383
// collection. Only valid during a scavenge collection (specifically,
13841384
// when all map words are heap object pointers, i.e. not during a full GC).
1385-
inline bool IsForwardingAddress();
1385+
inline bool IsForwardingAddress() const;
13861386

13871387
// Create a map word from a forwarding address.
13881388
static inline MapWord FromForwardingAddress(HeapObject* object);
Collapse file

‎deps/v8/test/mjsunit/regress/regress-621869.js‎

Copy file name to clipboard
+18Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
// Copyright 2016 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Flags: --expose-gc
6+
7+
var o0 = [];
8+
var o1 = [];
9+
var cnt = 0;
10+
var only_scavenge = true;
11+
o1.__defineGetter__(0, function() {
12+
if (cnt++ > 2) return;
13+
o0.shift();
14+
gc(only_scavenge);
15+
o0.push((64));
16+
o0.concat(o1);
17+
});
18+
o1[0];

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.