heap: make array buffer maps disjoint

src/heap/mark-compact.cc

Index: src/heap/mark-compact.cc
diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
index f95b91ac4db80791a7cf2dc9ea408e9369a1286e..603d8e3efd60a724507cd8e9997420f66b58b880 100644
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -1867,6 +1867,11 @@ int MarkCompactCollector::DiscoverAndEvacuateBlackObjectsOnPage(
       Object* target = allocation.ToObjectChecked();
 
       MigrateObject(HeapObject::cast(target), object, size, NEW_SPACE);
+      // If we end up needing more special cases, we should factor this out.

[Michael Lippautz, 2015/09/02 07:23:00]

Remove this comment.

[fedor.indutny, 2015/09/02 08:56:08]

Acknowledged.

+      if (V8_UNLIKELY(target->IsJSArrayBuffer())) {
+        heap()->RegisterLiveArrayBuffer(
+            true, JSArrayBuffer::cast(target)->backing_store());
+      }
       heap()->IncrementSemiSpaceCopiedObjectSize(size);
     }
     *cells = 0;
@@ -4431,10 +4436,13 @@ void MarkCompactCollector::SweepSpaces() {
   // buffer entries are already filter out. We can just release the memory.
   heap()->FreeQueuedChunks();
 
-  heap()->FreeDeadArrayBuffers(false);
-
   EvacuateNewSpaceAndCandidates();
 
+  // NOTE: ArrayBuffers must be evacuated first, before freeing them. Otherwise
+  // not yet discovered buffers for scavenge will have all of them, and they
+  // will be erroneously freed.

[Michael Lippautz, 2015/09/02 07:23:00]

Replace to:

EvacuateNewSpaceAndCandidates iterates over new space objects and for
ArrayBuffers either re-registers them as live or promotes them. This is needed
to properly free them.

[fedor.indutny, 2015/09/02 08:56:08]

Acknowledged.

+  heap()->FreeDeadArrayBuffers(false);
+
   // Clear the marking state of live large objects.
   heap_->lo_space()->ClearMarkingStateOfLiveObjects();