Reviewers: Michael Starzinger,
Message:
PTAL
Description:
Always record all the slots of descriptor arrays to avoid crashes due to
installing descriptors into the descriptor array before the descriptor
array is
installed into the map.
This bug would be caused by, eg, appending a descriptor to an existing
descriptor array in ShareDescriptor, before installed the descriptor
array into the new map. If a GC occurs between installing the descriptor
and installing the descriptor array, the pointer to an evacuated key or
value will not be updated in the descriptor array.
BUG=
Please review this at https://codereview.chromium.org/144003007/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+16, -1 lines):
M src/objects-visiting-inl.h
Index: src/objects-visiting-inl.h
diff --git a/src/objects-visiting-inl.h b/src/objects-visiting-inl.h
index
5201a7b3180ecd2a8ad593f2b68aebc53e5bfa7a..5b8684e8ada6766effc2306822b6dd60a3f9fe43
100644
--- a/src/objects-visiting-inl.h
+++ b/src/objects-visiting-inl.h
@@ -628,8 +628,23 @@ void
StaticMarkingVisitor<StaticVisitor>::MarkMapContents(
// holding the descriptor array will be implicitly recorded when the
pointer
// fields of this map are visited.
DescriptorArray* descriptors = map->instance_descriptors();
+ MarkCompactCollector* collector = heap->mark_compact_collector();
+
if (StaticVisitor::MarkObjectWithoutPush(heap, descriptors) &&
descriptors->length() > 0) {
+ // Record all keys and values in the descriptor array to ensure that
they
+ // are updated if they are on evacuation candidates and are alive, but
the
+ // descriptor array is not yet installed in the map that's adding the
+ // descriptors.
+ for (int i = 0; i < descriptors->number_of_descriptors(); i++) {
+ Object** key_slot = descriptors->GetKeySlot(i);
+ ASSERT((*key_slot)->IsHeapObject());
+ collector->RecordSlot(key_slot, key_slot, *key_slot);
+ Object** value_slot = descriptors->GetValueSlot(i);
+ if ((*value_slot)->IsHeapObject()) {
+ collector->RecordSlot(value_slot, value_slot, *value_slot);
+ }
+ }
StaticVisitor::VisitPointers(heap,
descriptors->GetFirstElementAddress(),
descriptors->GetDescriptorEndSlot(0));
@@ -647,7 +662,7 @@ void
StaticMarkingVisitor<StaticVisitor>::MarkMapContents(
// codes when we iterate over maps in ClearNonLiveTransitions.
Object** slot = HeapObject::RawField(map, Map::kDependentCodeOffset);
HeapObject* obj = HeapObject::cast(*slot);
- heap->mark_compact_collector()->RecordSlot(slot, slot, obj);
+ collector->RecordSlot(slot, slot, obj);
StaticVisitor::MarkObjectWithoutPush(heap, obj);
// Mark the pointer fields of the Map. Since the transitions array has
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
