Filter out store/slots buffer entries that point into raw data objects.

src/heap/mark-compact.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/base/atomicops.h"
 #include "src/base/bits.h"
 #include "src/code-stubs.h"
 #include "src/compilation-cache.h"
@@ skipping 3120 matching lines @@
 
 bool MarkCompactCollector::IsSlotInLiveObject(Address slot) {
   HeapObject* object = NULL;
   // The target object is black but we don't know if the source slot is black.
   // The source object could have died and the slot could be part of a free
   // space. Find out based on mark bits if the slot is part of a live object.
   if (!IsSlotInBlackObject(Page::FromAddress(slot), slot, &object)) {
     return false;
   }
 
-#if V8_DOUBLE_FIELDS_UNBOXING
   // |object| is NULL only when the slot belongs to large object space.
   DCHECK(object != NULL ||
          Page::FromAnyPointerAddress(heap_, slot)->owner() ==
              heap_->lo_space());
   // We don't need to check large objects' layout descriptor since it can't
   // contain in-object fields anyway.
   if (object != NULL) {
-    // Filter out slots that happens to point to unboxed double fields.
-    LayoutDescriptorHelper helper(object->map());
-    bool has_only_tagged_fields = helper.all_fields_tagged();
-    if (!has_only_tagged_fields &&
-        !helper.IsTagged(static_cast<int>(slot - object->address()))) {
-      return false;
+    // TODO(ishell): This is a workaround for crbug/454297. We must not have
+    // slots in data objects at all. Remove this once we found the root cause.
+    InstanceType type = object->map()->instance_type();
+    // Slots in maps and code can't be invalid because they are never shrunk.
+    if (type == MAP_TYPE || type == CODE_TYPE) return true;
+    if (type == CONSTANT_POOL_ARRAY_TYPE) {
+      if (FLAG_enable_ool_constant_pool) {
+        // TODO(ishell): implement constant pool support if we ever enable it.
+        UNIMPLEMENTED();
+      } else {
+        // This is left here just to make constant pool unit tests work.
+        return true;
+      }
+    }
+    // Consider slots in objects that contain ONLY raw data as invalid.
+    if (object->MayContainRawValues()) return false;
+    if (FLAG_unbox_double_fields) {
+      // Filter out slots that happen to point to unboxed double fields.
+      LayoutDescriptorHelper helper(object->map());
+      bool has_only_tagged_fields = helper.all_fields_tagged();
+      if (!has_only_tagged_fields &&
+          !helper.IsTagged(static_cast<int>(slot - object->address()))) {
+        return false;
+      }
     }
   }
-#endif
 
   return true;
 }
 
 
 void MarkCompactCollector::VerifyIsSlotInLiveObject(Address slot,
                                                     HeapObject* object) {
   // The target object has to be black.
   CHECK(Marking::IsBlack(Marking::MarkBitFrom(object)));
 
@@ skipping 1490 matching lines @@
   SlotsBuffer* buffer = *buffer_address;
   while (buffer != NULL) {
     SlotsBuffer* next_buffer = buffer->next();
     DeallocateBuffer(buffer);
     buffer = next_buffer;
   }
   *buffer_address = NULL;
 }
 }  // namespace internal
 }  // namespace v8