Revision: 19029
Author: [email protected]
Date: Mon Feb 3 14:21:46 2014 UTC
Log: Merged r19024, r19026 into trunk branch.
Make memento checks more stable. Add filler at the end of new space and
check if object and memento are on the same new space page.
Elements field of newly allocated JSArray could be left uninitialized in
some cases (fast literal case).
BUG=340124
LOG=N
[email protected], [email protected]
Review URL: https://codereview.chromium.org/139133004
http://code.google.com/p/v8/source/detail?r=19029
Modified:
/trunk/src/heap-inl.h
/trunk/src/heap.cc
/trunk/src/hydrogen.cc
/trunk/src/mark-compact.cc
/trunk/src/objects.cc
/trunk/src/spaces.h
/trunk/src/version.cc
=======================================
--- /trunk/src/heap-inl.h Mon Feb 3 07:23:16 2014 UTC
+++ /trunk/src/heap-inl.h Mon Feb 3 14:21:46 2014 UTC
@@ -493,15 +493,21 @@
if (!FLAG_allocation_site_pretenuring ||
!AllocationSite::CanTrack(object->map()->instance_type())) return;
- // Either object is the last object in the from space, or there is
another
- // object of at least word size (the header map word) following it, so
- // suffices to compare ptr and top here.
- Address ptr = object->address() + object->Size();
- Address top = heap->new_space()->FromSpacePageHigh();
- ASSERT(ptr == top || ptr + HeapObject::kHeaderSize <= top);
- if (ptr == top) return;
+ // Check if there is potentially a memento behind the object. If
+ // the last word of the momento is on another page we return
+ // immediatelly. Note that we do not have to compare with the current
+ // top pointer of the from space page, since we always install filler
+ // objects above the top pointer of a from space page when performing
+ // a garbage collection.
+ Address object_address = object->address();
+ Address memento_address = object_address + object->Size();
+ Address last_memento_word_address = memento_address + kPointerSize;
+ if (!NewSpacePage::OnSamePage(object_address,
+ last_memento_word_address)) {
+ return;
+ }
- HeapObject* candidate = HeapObject::FromAddress(ptr);
+ HeapObject* candidate = HeapObject::FromAddress(memento_address);
if (candidate->map() != heap->allocation_memento_map()) return;
AllocationMemento* memento = AllocationMemento::cast(candidate);
=======================================
--- /trunk/src/heap.cc Sat Feb 1 08:54:43 2014 UTC
+++ /trunk/src/heap.cc Mon Feb 3 14:21:46 2014 UTC
@@ -767,6 +767,18 @@
// allocation attempts to go through.
allocation_timeout_ = Max(6, FLAG_gc_interval);
#endif
+
+ // There may be an allocation memento behind every object in new space.
+ // If we evacuate a not full new space or if we are on the last page of
+ // the new space, then there may be uninitialized memory behind the top
+ // pointer of the new space page. We store a filler object there to
+ // identify the unused space.
+ Address from_top = new_space_.top();
+ Address from_limit = new_space_.limit();
+ if (from_top < from_limit) {
+ int remaining_in_page = static_cast<int>(from_limit - from_top);
+ CreateFillerObjectAt(from_top, remaining_in_page);
+ }
if (collector == SCAVENGER && !incremental_marking()->IsStopped()) {
if (FLAG_trace_incremental_marking) {
=======================================
--- /trunk/src/hydrogen.cc Sat Feb 1 08:54:43 2014 UTC
+++ /trunk/src/hydrogen.cc Mon Feb 3 14:21:46 2014 UTC
@@ -9906,6 +9906,13 @@
if (elements_size > 0) {
HValue* object_elements_size = Add<HConstant>(elements_size);
if (boilerplate_object->HasFastDoubleElements()) {
+ // Allocation folding will not be able to fold |object| and
+ // |object_elements| together in some cases, so initialize
+ // elements with the undefined to make GC happy.
+ HConstant* empty_fixed_array = Add<HConstant>(
+ isolate()->factory()->empty_fixed_array());
+ Add<HStoreNamedField>(object, HObjectAccess::ForElementsPointer(),
+ empty_fixed_array, INITIALIZING_STORE);
object_elements = Add<HAllocate>(object_elements_size,
HType::JSObject(),
pretenure_flag, FIXED_DOUBLE_ARRAY_TYPE,
site_context->current());
} else {
=======================================
--- /trunk/src/mark-compact.cc Mon Feb 3 07:23:16 2014 UTC
+++ /trunk/src/mark-compact.cc Mon Feb 3 14:21:46 2014 UTC
@@ -3006,20 +3006,6 @@
// live objects.
new_space->Flip();
new_space->ResetAllocationInfo();
-
- // UpdateAllocationSiteFeedback expects that only objects at the end of
- // newspace are not guaranteed to have the next word clear. It relies on
- // FromSpacePageHigh to check whether an object is at the end of
newspace.
- // However, it is possible that newspace is being evacuated without it
being
- // full, e.g. to make the heap iterable, hence top will not equal high.
In
- // that case, fill up newspace with a filler to ensure the next word is
- // cleared.
- if (FLAG_allocation_site_pretenuring &&
- from_top < new_space->FromSpacePageHigh()) {
- Address limit = NewSpacePage::FromLimit(from_top)->area_end();
- int remaining_in_page = static_cast<int>(limit - from_top);
- heap()->CreateFillerObjectAt(from_top, remaining_in_page);
- }
int survivors_size = 0;
=======================================
--- /trunk/src/objects.cc Sat Feb 1 08:54:43 2014 UTC
+++ /trunk/src/objects.cc Mon Feb 3 14:21:46 2014 UTC
@@ -12837,16 +12837,27 @@
Heap* heap = GetHeap();
if (!heap->InNewSpace(this)) return this;
+
+ // Check if there is potentially a memento behind the object. If
+ // the last word of the momento is on another page we return
+ // immediatelly.
+ Address object_address = address();
+ Address memento_address = object_address + JSArray::kSize;
+ Address last_memento_word_address = memento_address + kPointerSize;
+ if (!NewSpacePage::OnSamePage(object_address,
+ last_memento_word_address)) {
+ return this;
+ }
// Either object is the last object in the new space, or there is another
// object of at least word size (the header map word) following it, so
// suffices to compare ptr and top here.
- Address ptr = address() + JSArray::kSize;
Address top = heap->NewSpaceTop();
- ASSERT(ptr == top || ptr + HeapObject::kHeaderSize <= top);
- if (ptr == top) return this;
+ ASSERT(memento_address == top ||
+ memento_address + HeapObject::kHeaderSize <= top);
+ if (memento_address == top) return this;
- HeapObject* candidate = HeapObject::FromAddress(ptr);
+ HeapObject* candidate = HeapObject::FromAddress(memento_address);
if (candidate->map() != heap->allocation_memento_map()) return this;
AllocationMemento* memento = AllocationMemento::cast(candidate);
=======================================
--- /trunk/src/spaces.h Fri Jan 24 01:05:19 2014 UTC
+++ /trunk/src/spaces.h Mon Feb 3 14:21:46 2014 UTC
@@ -2060,6 +2060,12 @@
static inline NewSpacePage* FromLimit(Address address_limit) {
return NewSpacePage::FromAddress(address_limit - 1);
}
+
+ // Checks if address1 and address2 are on the same new space page.
+ static inline bool OnSamePage(Address address1, Address address2) {
+ return NewSpacePage::FromAddress(address1) ==
+ NewSpacePage::FromAddress(address2);
+ }
private:
// Create a NewSpacePage object that is only used as anchor
@@ -2454,6 +2460,12 @@
ASSERT(to_space_.current_page()->ContainsLimit(top));
allocation_info_.set_top(top);
}
+
+ // Return the address of the allocation pointer limit in the active
semispace.
+ Address limit() {
+
ASSERT(to_space_.current_page()->ContainsLimit(allocation_info_.limit()));
+ return allocation_info_.limit();
+ }
// Return the address of the first object in the active semispace.
Address bottom() { return to_space_.space_start(); }
=======================================
--- /trunk/src/version.cc Mon Feb 3 07:23:16 2014 UTC
+++ /trunk/src/version.cc Mon Feb 3 14:21:46 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 24
#define BUILD_NUMBER 30
-#define PATCH_LEVEL 0
+#define PATCH_LEVEL 1
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
