Reviewers: Jakob,
Description:
Version 4.1.0.21 (cherry-pick)
Merged 206e9136bde0f2b5ae8cb77afbb1e7833e5bd412
Unlink pages from the space page list after evacuation.
BUG=430201
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/953813002/
Base URL: https://chromium.googlesource.com/v8/[email protected]
Affected files (+22, -22 lines):
M src/heap/mark-compact.cc
M src/heap/spaces.cc
M src/version.cc
A + test/mjsunit/regress/regress-430201.js
Index: src/heap/mark-compact.cc
diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
index
fa127db6129c0f1598eb2140f3d1fdb294ff4e90..c9a310a3f7aee0e915c5a674cf836ee01612e9b7
100644
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -3052,6 +3052,11 @@ void MarkCompactCollector::EvacuatePages() {
// have an emergency page and the space still has room for that.
if (space->HasEmergencyMemory() && space->CanExpand()) {
EvacuateLiveObjectsFromPage(p);
+ // Unlink the page from the list of pages here. We must not iterate
+ // over that page later (e.g. when scan on scavenge pages are
+ // processed). The page itself will be freed later and is still
+ // reachable from the evacuation candidates list.
+ p->Unlink();
} else {
// Without room for expansion evacuation is not guaranteed to
succeed.
// Pessimistically abandon unevacuated pages.
Index: src/heap/spaces.cc
diff --git a/src/heap/spaces.cc b/src/heap/spaces.cc
index
3802e470bd454a7da2680589f71bd31cb86ff37a..060052e706cf4196b907bb14c535ff4982392b37
100644
--- a/src/heap/spaces.cc
+++ b/src/heap/spaces.cc
@@ -1142,7 +1142,12 @@ void PagedSpace::ReleasePage(Page* page) {
allocation_info_.set_limit(NULL);
}
- page->Unlink();
+ // If page is still in a list, unlink it from that list.
+ if (page->next_chunk() != NULL) {
+ DCHECK(page->prev_chunk() != NULL);
+ page->Unlink();
+ }
+
if (page->IsFlagSet(MemoryChunk::CONTAINS_ONLY_DATA)) {
heap()->isolate()->memory_allocator()->Free(page);
} else {
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
9e6c767b9ccc46ece67db16e751bad7904db2513..edcf2be2db4a8654b74726cbaaed88cce42fde28
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 4
#define MINOR_VERSION 1
#define BUILD_NUMBER 0
-#define PATCH_LEVEL 20
+#define PATCH_LEVEL 21
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
Index: test/mjsunit/regress/regress-430201.js
diff --git a/test/mjsunit/compiler/compare-map-elim.js
b/test/mjsunit/regress/regress-430201.js
similarity index 85%
copy from test/mjsunit/compiler/compare-map-elim.js
copy to test/mjsunit/regress/regress-430201.js
index
288d4811a6811691366841f7693495f6c785da9e..b53383e22e4553ae4c0542d90338b55d20d40dc9
100644
--- a/test/mjsunit/compiler/compare-map-elim.js
+++ b/test/mjsunit/regress/regress-430201.js
@@ -25,27 +25,17 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --allow-natives-syntax --check-elimination
+// Flags: --allow-natives-syntax --expose-gc
-a = {
- f: function() { this.y = 3; }
-};
-b = {
- f: function() { this.y = 4; }
-};
+var array_1 = [];
-function x(z) {
- return z.f();
-}
-
-x(a);
-x(b);
-x(a);
-x(b);
-x(a);
-x(b);
+%SetFlags("--stress-compaction");
+for (var a = 0; a < 10000; a++) { array_1[a * 100] = 0; }
-%OptimizeFunctionOnNextCall(x)
+gc();
+gc();
-x(a);
-x(b);
+var array_2 = [];
+for (var i = 0; i < 321361; i++) {
+ array_2[i] = String.fromCharCode(i)[0];
+}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
