Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(380)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/heap/mark-compact.cc

Issue 1106983004: Filter out store/slots buffer entries that point into raw data objects. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Rebased and TODO added Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/heap/mark-compact.cc
diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
index 2c5a053c74a61f76e6e089c433a0dc3fe843254b..521be78e2eff9976cd0db5d49e27ca5888c958db 100644
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -3138,7 +3138,6 @@ bool MarkCompactCollector::IsSlotInLiveObject(Address slot) {
return false;
}
-#if V8_DOUBLE_FIELDS_UNBOXING
// |object| is NULL only when the slot belongs to large object space.
DCHECK(object != NULL ||
Page::FromAnyPointerAddress(heap_, slot)->owner() ==
@@ -3146,15 +3145,32 @@ bool MarkCompactCollector::IsSlotInLiveObject(Address slot) {
// We don't need to check large objects' layout descriptor since it can't
// contain in-object fields anyway.
if (object != NULL) {
- // Filter out slots that happens to point to unboxed double fields.
- LayoutDescriptorHelper helper(object->map());
- bool has_only_tagged_fields = helper.all_fields_tagged();
- if (!has_only_tagged_fields &&
- !helper.IsTagged(static_cast<int>(slot - object->address()))) {
- return false;
+ // TODO(ishell): This is a workaround for crbug/454297. We must not have
+ // slots in data objects at all. Remove this once we found the root cause.
+ InstanceType type = object->map()->instance_type();
+ // Slots in maps and code can't be invalid because they are never shrunk.
+ if (type == MAP_TYPE || type == CODE_TYPE) return true;
+ if (type == CONSTANT_POOL_ARRAY_TYPE) {
+ if (FLAG_enable_ool_constant_pool) {
+ // TODO(ishell): implement constant pool support if we ever enable it.
+ UNIMPLEMENTED();
+ } else {
+ // This is left here just to make constant pool unit tests work.
+ return true;
+ }
+ }
+ // Consider slots in objects that contain ONLY raw data as invalid.
+ if (object->MayContainRawValues()) return false;
+ if (FLAG_unbox_double_fields) {
+ // Filter out slots that happen to point to unboxed double fields.
+ LayoutDescriptorHelper helper(object->map());
+ bool has_only_tagged_fields = helper.all_fields_tagged();
+ if (!has_only_tagged_fields &&
+ !helper.IsTagged(static_cast<int>(slot - object->address()))) {
+ return false;
+ }
}
}
-#endif
return true;
}
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698