[v8-dev] Merged r19024, r19026 into trunk branch. (issue 139133004)

[hpayer]

Reviewers: Michael Achenbach,

Description:
Merged r19024, r19026 into trunk branch.
Make memento checks more stable. Add filler at the end of new space and  
check if
object and memento are on the same new space page.

Elements field of newly allocated JSArray could be left uninitialized in  
some
cases (fast literal case).

BUG=340124
LOG=N
R=machenb...@chromium.org

Please review this at https://codereview.chromium.org/139133004/

SVN Base: https://v8.googlecode.com/svn/trunk

Affected files (+62, -28 lines):
  M src/heap-inl.h
  M src/heap.cc
  M src/hydrogen.cc
  M src/mark-compact.cc
  M src/objects.cc
  M src/spaces.h
  M src/version.cc


Index: src/heap-inl.h
diff --git a/src/heap-inl.h b/src/heap-inl.h
index  
b1657ab9878dca4c5b1145bb06788e96ac4b9c25..f28b82c732a71088b46dcb9e93f4e85c470ec78f  
100644
--- a/src/heap-inl.h
+++ b/src/heap-inl.h
@@ -493,15 +493,21 @@ void Heap::UpdateAllocationSiteFeedback(HeapObject*  
object) {
   if (!FLAG_allocation_site_pretenuring ||
       !AllocationSite::CanTrack(object->map()->instance_type())) return;

-  // Either object is the last object in the from space, or there is  
another
-  // object of at least word size (the header map word) following it, so
-  // suffices to compare ptr and top here.
-  Address ptr = object->address() + object->Size();
-  Address top = heap->new_space()->FromSpacePageHigh();
-  ASSERT(ptr == top || ptr + HeapObject::kHeaderSize <= top);
-  if (ptr == top) return;
-
-  HeapObject* candidate = HeapObject::FromAddress(ptr);
+  // Check if there is potentially a memento behind the object. If
+  // the last word of the momento is on another page we return
+  // immediatelly. Note that we do not have to compare with the current
+  // top pointer of the from space page, since we always install filler
+  // objects above the top pointer of a from space page when performing
+  // a garbage collection.
+  Address object_address = object->address();
+  Address memento_address = object_address + object->Size();
+  Address last_memento_word_address = memento_address + kPointerSize;
+  if (!NewSpacePage::OnSamePage(object_address,
+                                last_memento_word_address)) {
+    return;
+  }
+
+  HeapObject* candidate = HeapObject::FromAddress(memento_address);
   if (candidate->map() != heap->allocation_memento_map()) return;

   AllocationMemento* memento = AllocationMemento::cast(candidate);
Index: src/heap.cc
diff --git a/src/heap.cc b/src/heap.cc
index  
f8588b87e6eda4763e3f757a8deda15fa47fbd42..a6db39c58cde422c7536d22c2dab95a232a75f9e  
100644
--- a/src/heap.cc
+++ b/src/heap.cc
@@ -768,6 +768,18 @@ bool Heap::CollectGarbage(AllocationSpace space,
   allocation_timeout_ = Max(6, FLAG_gc_interval);
 #endif

+  // There may be an allocation memento behind every object in new space.
+  // If we evacuate a not full new space or if we are on the last page of
+  // the new space, then there may be uninitialized memory behind the top
+  // pointer of the new space page. We store a filler object there to
+  // identify the unused space.
+  Address from_top = new_space_.top();
+  Address from_limit = new_space_.limit();
+  if (from_top < from_limit) {
+    int remaining_in_page = static_cast<int>(from_limit - from_top);
+    CreateFillerObjectAt(from_top, remaining_in_page);
+  }
+
   if (collector == SCAVENGER && !incremental_marking()->IsStopped()) {
     if (FLAG_trace_incremental_marking) {
       PrintF("[IncrementalMarking] Scavenge during marking.\n");
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index  
478d938cf6fa27d74994d43674af59ca7f05ef41..298496f3a7ea99c272a0467af5c8bd9214b18426  
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9906,6 +9906,13 @@ HInstruction*  
HOptimizedGraphBuilder::BuildFastLiteral(
   if (elements_size > 0) {
     HValue* object_elements_size = Add<HConstant>(elements_size);
     if (boilerplate_object->HasFastDoubleElements()) {
+      // Allocation folding will not be able to fold |object| and
+      // |object_elements| together in some cases, so initialize
+      // elements with the undefined to make GC happy.
+      HConstant* empty_fixed_array = Add<HConstant>(
+          isolate()->factory()->empty_fixed_array());
+      Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+                            empty_fixed_array, INITIALIZING_STORE);
       object_elements = Add<HAllocate>(object_elements_size,  
HType::JSObject(),
           pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE,  
site_context->current());
     } else {
Index: src/mark-compact.cc
diff --git a/src/mark-compact.cc b/src/mark-compact.cc
index  
fc9f16627e423910358d2cbdec0707f3fd44fe9f..81de035b0af7a6ae67de51f738b30ecbdbcb2da5  
100644
--- a/src/mark-compact.cc
+++ b/src/mark-compact.cc
@@ -3007,20 +3007,6 @@ void MarkCompactCollector::EvacuateNewSpace() {
   new_space->Flip();
   new_space->ResetAllocationInfo();

-  // UpdateAllocationSiteFeedback expects that only objects at the end of
-  // newspace are not guaranteed to have the next word clear. It relies on
-  // FromSpacePageHigh to check whether an object is at the end of  
newspace.
-  // However, it is possible that newspace is being evacuated without it  
being
-  // full, e.g. to make the heap iterable, hence top will not equal high.  
In
-  // that case, fill up newspace with a filler to ensure the next word is
-  // cleared.
-  if (FLAG_allocation_site_pretenuring &&
-      from_top < new_space->FromSpacePageHigh()) {
-    Address limit = NewSpacePage::FromLimit(from_top)->area_end();
-    int remaining_in_page = static_cast<int>(limit - from_top);
-    heap()->CreateFillerObjectAt(from_top, remaining_in_page);
-  }
-
   int survivors_size = 0;

   // First pass: traverse all objects in inactive semispace, remove marks,
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index  
7c67539d7b6172ad9120676481c6292f3dfd5923..8bcfcd946a0ccf4dcfd830b1b2075996dad1e0b4  
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -12838,15 +12838,26 @@ MaybeObject*  
JSObject::UpdateAllocationSite(ElementsKind to_kind) {
   Heap* heap = GetHeap();
   if (!heap->InNewSpace(this)) return this;

+  // Check if there is potentially a memento behind the object. If
+  // the last word of the momento is on another page we return
+  // immediatelly.
+  Address object_address = address();
+  Address memento_address = object_address + JSArray::kSize;
+  Address last_memento_word_address = memento_address + kPointerSize;
+  if (!NewSpacePage::OnSamePage(object_address,
+                                last_memento_word_address)) {
+    return this;
+  }
+
   // Either object is the last object in the new space, or there is another
   // object of at least word size (the header map word) following it, so
   // suffices to compare ptr and top here.
-  Address ptr = address() + JSArray::kSize;
   Address top = heap->NewSpaceTop();
-  ASSERT(ptr == top || ptr + HeapObject::kHeaderSize <= top);
-  if (ptr == top) return this;
+  ASSERT(memento_address == top ||
+         memento_address + HeapObject::kHeaderSize <= top);
+  if (memento_address == top) return this;

-  HeapObject* candidate = HeapObject::FromAddress(ptr);
+  HeapObject* candidate = HeapObject::FromAddress(memento_address);
   if (candidate->map() != heap->allocation_memento_map()) return this;

   AllocationMemento* memento = AllocationMemento::cast(candidate);
Index: src/spaces.h
diff --git a/src/spaces.h b/src/spaces.h
index  
9d299c64841e9256af6ebd0cb5e9811778e8249c..9d47f81ac63dbbf65d357769c02f6307bf6ff15f  
100644
--- a/src/spaces.h
+++ b/src/spaces.h
@@ -2061,6 +2061,12 @@ class NewSpacePage : public MemoryChunk {
     return NewSpacePage::FromAddress(address_limit - 1);
   }

+  // Checks if address1 and address2 are on the same new space page.
+  static inline bool OnSamePage(Address address1, Address address2) {
+    return NewSpacePage::FromAddress(address1) ==
+           NewSpacePage::FromAddress(address2);
+  }
+
  private:
   // Create a NewSpacePage object that is only used as anchor
   // for the doubly-linked list of real pages.
@@ -2455,6 +2461,12 @@ class NewSpace : public Space {
     allocation_info_.set_top(top);
   }

+  // Return the address of the allocation pointer limit in the active  
semispace.
+  Address limit() {
+     
ASSERT(to_space_.current_page()->ContainsLimit(allocation_info_.limit()));
+    return allocation_info_.limit();
+  }
+
   // Return the address of the first object in the active semispace.
   Address bottom() { return to_space_.space_start(); }

Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index  
00dd856706d3b33efb8eb716127bcbed4478c220..93b46850807f8e76815e4cbf3065069780e08bfd  
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     24
 #define BUILD_NUMBER      30
-#define PATCH_LEVEL       0
+#define PATCH_LEVEL       1
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.