Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of https://codereview.chr…

Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list items contain memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.

BUG=chromium:589413, chromium:578883
LOG=NO

Committed: https://crrev.com/01b8fc894b74ac9c12e18a1308950bb4a2f7c550
Cr-Commit-Position: refs/heads/master@{#34302}

[ulan, 2016-02-25 09:06:27]

Description was changed from

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

BUG=chromium:589413,chromium:578883
LOG=NO
==========

to

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are not in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contains memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

[ulan, 2016-02-25 09:06:44]

Description was changed from

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are not in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contains memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

to

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contains memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

[ulan, 2016-02-25 09:08:02]

ulan@chromium.org changed reviewers:
+ jochen@chromium.org

[ulan, 2016-02-25 09:08:03]

PTAL.

PS1 is the original CL. The regression test is in PS2. The fix with additional
checks is in PS3.

[jochen (gone - plz use gerrit), 2016-02-25 09:24:18]

lgtm

[ulan, 2016-02-25 09:32:42]

Description was changed from

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contains memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

to

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contain memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

[ulan, 2016-02-25 16:08:02]

The CQ bit was checked by ulan@chromium.org

[ulan, 2016-02-25 16:08:03]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/1735523002/#ps120001
(title: "int -> size_t")

[commit-bot: I haz the power, 2016-02-25 16:08:11]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1735523002/120001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1735523002/120001

[commit-bot: I haz the power, 2016-02-25 16:14:19]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-02-25 16:14:20]

Try jobs failed on following builders:
  v8_win_nosnap_shared_compile_rel on tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_win_nosnap_shared_compil...)

[ulan, 2016-02-25 17:06:24]

The CQ bit was checked by ulan@chromium.org

[ulan, 2016-02-25 17:06:24]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/1735523002/#ps140001
(title: "one more int->size_t")

[commit-bot: I haz the power, 2016-02-25 17:06:33]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1735523002/140001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1735523002/140001

[commit-bot: I haz the power, 2016-02-25 17:28:56]

Description was changed from

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contain memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

to

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contain memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

[commit-bot: I haz the power, 2016-02-25 17:28:58]

Committed patchset #8 (id:140001)

[commit-bot: I haz the power, 2016-02-25 17:29:31]

Description was changed from

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contain memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.



BUG=chromium:589413,chromium:578883
LOG=NO
==========

to

==========
Reland "Replace slots buffer with remembered set. (patchset #14 id:250001 of
https://codereview.chromium.org/1703823002/ )"

This reverts commit 9146bc5e2075797432c814b51c3e862ff959aacc.

This contains a fix for the following crash:
1. We record slots for a fixed array.
2. We trim the fixed array, so that some recorded slots are now in free space.
3. During mark-compact we sweep the page with the fixed array. Now free list
items contain memory with recorded slots.
4. We evacuate a byte array using the new free list items.
5. We iterate slots that are now inside the byte array and crash.

BUG=chromium:589413,chromium:578883
LOG=NO

Committed: https://crrev.com/01b8fc894b74ac9c12e18a1308950bb4a2f7c550
Cr-Commit-Position: refs/heads/master@{#34302}
==========

[commit-bot: I haz the power, 2016-02-25 17:29:32]

Patchset 8 (id:??) landed as
https://crrev.com/01b8fc894b74ac9c12e18a1308950bb4a2f7c550
Cr-Commit-Position: refs/heads/master@{#34302}