Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(383)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1492823002: Revert of "[heap] Clean up stale store buffer entries for aborted pages." (Closed)

Created:
5 years ago by Michael Lippautz
Modified:
5 years ago
CC:
v8-reviews_googlegroups.com, Michael Hablich
Base URL:
https://chromium.googlesource.com/v8/v8.git@master
Target Ref:
refs/pending/heads/master
Project:
v8
Visibility:
Public.

Description

Revert of "[heap] Clean up stale store buffer entries for aborted pages." (patchset #3 id:40001 of https://codereview.chromium.org/1494503004/ ) Reason for revert: Still failing on GC stress https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/690 Original issue's description: > Reland of "[heap] Clean up stale store buffer entries for aborted pages." > > This reverts commit d4fc4a8cad0a8f94ea2a8bca7c76cebd8793395c. > > 1. Let X be the aborted slot (slot in an evacuated object in an aborted page) > 2. Assume X contains pointer to Y and Y is in the new space, so X is in the > store buffer. > 3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)). > 4. The current mark-sweep finishes. The slot X is in free space and is also in > the store buffer. > 5. A string of length 9 "abcdefghi" is allocated in the new space. The string > looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is > previous garbage. Let's assume that NNNNNNN0 was pointing to a new space > object before. > 6. Scavenge happens. > 7. Slot X is still in free space and in store buffer. [It causes scavenge of > the object Y in > store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But > it is not important]. > 8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi > is written in X. > 9. The scavenge finishes. > 9. Another scavenge starts. > 10. We crash in > store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when > processing slot X, because it doesn't point to valid map. > > BUG=chromium:524425, chromium:564498 > LOG=N > R=hpayer@chromium.org, ulan@chromium.org > > Committed: https://crrev.com/fc6ff534003480e49dc481d9c665e961ab709c02 > Cr-Commit-Position: refs/heads/master@{#32514} TBR=hpayer@chromium.org,ulan@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:524425, chromium:564498 Committed: https://crrev.com/232276810476f8639c832ae1c772f087d4042a10 Cr-Commit-Position: refs/heads/master@{#32520}

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+9 lines, -19 lines) Patch
M src/heap/mark-compact.cc View 4 chunks +8 lines, -17 lines 0 comments Download
M src/heap/spaces.h View 1 chunk +1 line, -2 lines 0 comments Download

Messages

Total messages: 6 (2 generated)
Michael Lippautz
Created Revert of "[heap] Clean up stale store buffer entries for aborted pages."
5 years ago (2015-12-02 14:47:14 UTC) #1
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1492823002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1492823002/1
5 years ago (2015-12-02 14:47:21 UTC) #2
commit-bot: I haz the power
Committed patchset #1 (id:1)
5 years ago (2015-12-02 14:47:30 UTC) #4
commit-bot: I haz the power
5 years ago (2015-12-02 14:48:12 UTC) #6
Message was sent while issue was closed. 
Patchset 1 (id:??) landed as
https://crrev.com/232276810476f8639c832ae1c772f087d4042a10
Cr-Commit-Position: refs/heads/master@{#32520}

Powered by Google App Engine
This is Rietveld 408576698