[heap] fix crash during the scavenge of ArrayBuffer

src/heap/store-buffer.cc

 // Copyright 2011 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/heap/store-buffer.h"
 
 #include <algorithm>
 
 #include "src/counters.h"
 #include "src/heap/incremental-marking.h"
+#include "src/heap/mark-compact-inl.h"
 #include "src/heap/store-buffer-inl.h"
 #include "src/isolate.h"
 #include "src/objects-inl.h"
 #include "src/v8.h"
 
 namespace v8 {
 namespace internal {
 
 StoreBuffer::StoreBuffer(Heap* heap)
     : heap_(heap),
@@ skipping 517 matching lines @@
         }
       }
     }
     if (callback_ != NULL) {
       (*callback_)(heap_, NULL, kStoreBufferScanningPageEvent);
     }
   }
 }
 
 
+void StoreBuffer::IterateAndMarkPointersToFromSpace(
+    HeapObject* object, Address start, Address end, bool record_slots,
+    ObjectSlotCallback slot_callback) {
+  Address slot_address = start;
+
+  while (slot_address < end) {
+    Object** slot = reinterpret_cast<Object**>(slot_address);
+    Object* target = *slot;
+    // If the store buffer becomes overfull we mark pages as being exempt from
+    // the store buffer.  These pages are scanned to find pointers that point
+    // to the new space.  In that case we may hit newly promoted objects and
+    // fix the pointers before the promotion queue gets to them.  Thus the 'if'.
+    if (target->IsHeapObject()) {
+      if (heap_->InFromSpace(target)) {
+        slot_callback(reinterpret_cast<HeapObject**>(slot),
+                      HeapObject::cast(target));
+        Object* new_target = *slot;
+        if (heap_->InNewSpace(new_target)) {
+          SLOW_DCHECK(heap_->InToSpace(new_target));
+          SLOW_DCHECK(new_target->IsHeapObject());
+          EnterDirectlyIntoStoreBuffer(reinterpret_cast<Address>(slot));
+        }
+        SLOW_DCHECK(!MarkCompactCollector::IsOnEvacuationCandidate(new_target));
+      } else if (record_slots &&
+                 MarkCompactCollector::IsOnEvacuationCandidate(target)) {
+        heap_->mark_compact_collector()->RecordSlot(object, slot, target);
+      }
+    }
+    slot_address += kPointerSize;
+  }
+}
+
+
+void StoreBuffer::IteratePointersToFromSpace(HeapObject* target, int size,
+                                             ObjectSlotCallback slot_callback) {
+  Address obj_address = target->address();
+
+  // We are not collecting slots on new space objects during mutation
+  // thus we have to scan for pointers to evacuation candidates when we
+  // promote objects. But we should not record any slots in non-black
+  // objects. Grey object's slots would be rescanned.
+  // White object might not survive until the end of collection
+  // it would be a violation of the invariant to record it's slots.
+  bool record_slots = false;
+  if (heap_->incremental_marking()->IsCompacting()) {
+    MarkBit mark_bit = Marking::MarkBitFrom(target);
+    record_slots = Marking::IsBlack(mark_bit);
+  }
+
+  // Do not scavenge JSArrayBuffer's contents
+  switch (target->ContentType()) {
+    case HeapObjectContents::kTaggedValues: {
+      IterateAndMarkPointersToFromSpace(target, obj_address, obj_address + size,
+                                        record_slots, slot_callback);
+      break;
+    }
+    case HeapObjectContents::kMixedValues: {
+      if (target->IsFixedTypedArrayBase()) {
+        IterateAndMarkPointersToFromSpace(
+            target, obj_address + FixedTypedArrayBase::kBasePointerOffset,
+            obj_address + FixedTypedArrayBase::kHeaderSize, record_slots,
+            slot_callback);
+      } else if (target->IsBytecodeArray()) {
+        IterateAndMarkPointersToFromSpace(
+            target, obj_address + BytecodeArray::kConstantPoolOffset,
+            obj_address + BytecodeArray::kHeaderSize, record_slots,
+            slot_callback);
+      } else if (target->IsJSArrayBuffer()) {
+        IterateAndMarkPointersToFromSpace(
+            target, obj_address,
+            obj_address + JSArrayBuffer::kByteLengthOffset + kPointerSize,
+            record_slots, slot_callback);
+        IterateAndMarkPointersToFromSpace(
+            target, obj_address + JSArrayBuffer::kSize, obj_address + size,
+            record_slots, slot_callback);
+#if V8_DOUBLE_FIELDS_UNBOXING
+      } else if (FLAG_unbox_double_fields) {
+        LayoutDescriptorHelper helper(target->map());
+        DCHECK(!helper.all_fields_tagged());
+
+        for (int offset = 0; offset < size;) {
+          int end_of_region_offset;
+          if (helper.IsTagged(offset, size, &end_of_region_offset)) {
+            IterateAndMarkPointersToFromSpace(
+                target, obj_address + offset,
+                obj_address + end_of_region_offset, record_slots,
+                slot_callback);
+          }
+          offset = end_of_region_offset;
+        }
+#endif
+      }
+      break;
+    }
+    case HeapObjectContents::kRawValues: {
+      break;
+    }
+  }
+}
+
+
 void StoreBuffer::Compact() {
   Address* top = reinterpret_cast<Address*>(heap_->store_buffer_top());
 
   if (top == start_) return;
 
   // There's no check of the limit in the loop below so we check here for
   // the worst case (compaction doesn't eliminate any pointers).
   DCHECK(top <= limit_);
   heap_->set_store_buffer_top(reinterpret_cast<Smi*>(start_));
   EnsureSpace(top - start_);
@@ skipping 83 matching lines @@
       DCHECK(start_of_current_page_ != store_buffer_->Top());
       store_buffer_->SetTop(start_of_current_page_);
     }
   } else {
     UNREACHABLE();
   }
 }
 
 }  // namespace internal
 }  // namespace v8