Reviewers: ulan,
Description:
Unlink pages from the space page list after evacuation.
BUG=430201
LOG=n
Please review this at https://codereview.chromium.org/937833002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+21, -21 lines):
M src/heap/mark-compact.cc
M src/heap/spaces.cc
A + test/mjsunit/regress/regress-430201.js
Index: src/heap/mark-compact.cc
diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
index
37651e7133eb9c367b1cdff17e7a2df5b73ddadf..f2b2ce171a9b6aca5d6152ba44422f8374b7317c
100644
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -3060,6 +3060,11 @@ void MarkCompactCollector::EvacuatePages() {
// have an emergency page and the space still has room for that.
if (space->HasEmergencyMemory() && space->CanExpand()) {
EvacuateLiveObjectsFromPage(p);
+ // Unlink the page from the list of pages here. We must not iterate
+ // over that page later (e.g. when scan on scavenge pages are
+ // processed). The page itself will be freed later and is still
+ // reachable from the evacuation candidates list.
+ p->Unlink();
} else {
// Without room for expansion evacuation is not guaranteed to
succeed.
// Pessimistically abandon unevacuated pages.
Index: src/heap/spaces.cc
diff --git a/src/heap/spaces.cc b/src/heap/spaces.cc
index
38d3a9ad3d7d2474680de8ad6f82a7c800fb4f6e..1219a7a74dbc58a3305168aaf69198b4b64665dc
100644
--- a/src/heap/spaces.cc
+++ b/src/heap/spaces.cc
@@ -1110,7 +1110,12 @@ void PagedSpace::ReleasePage(Page* page) {
allocation_info_.set_limit(NULL);
}
- page->Unlink();
+ // If page is still in a list, unlink it from that list.
+ if (page->next_chunk() != NULL) {
+ DCHECK(page->prev_chunk() != NULL);
+ page->Unlink();
+ }
+
if (page->IsFlagSet(MemoryChunk::CONTAINS_ONLY_DATA)) {
heap()->isolate()->memory_allocator()->Free(page);
} else {
Index: test/mjsunit/regress/regress-430201.js
diff --git a/test/mjsunit/compiler/compare-map-elim.js
b/test/mjsunit/regress/regress-430201.js
similarity index 85%
copy from test/mjsunit/compiler/compare-map-elim.js
copy to test/mjsunit/regress/regress-430201.js
index
288d4811a6811691366841f7693495f6c785da9e..b53383e22e4553ae4c0542d90338b55d20d40dc9
100644
--- a/test/mjsunit/compiler/compare-map-elim.js
+++ b/test/mjsunit/regress/regress-430201.js
@@ -25,27 +25,17 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --allow-natives-syntax --check-elimination
+// Flags: --allow-natives-syntax --expose-gc
-a = {
- f: function() { this.y = 3; }
-};
-b = {
- f: function() { this.y = 4; }
-};
+var array_1 = [];
-function x(z) {
- return z.f();
-}
-
-x(a);
-x(b);
-x(a);
-x(b);
-x(a);
-x(b);
+%SetFlags("--stress-compaction");
+for (var a = 0; a < 10000; a++) { array_1[a * 100] = 0; }
-%OptimizeFunctionOnNextCall(x)
+gc();
+gc();
-x(a);
-x(b);
+var array_2 = [];
+for (var i = 0; i < 321361; i++) {
+ array_2[i] = String.fromCharCode(i)[0];
+}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
