[heap] Don't consider mementos on pages below age mark

src/heap/heap-inl.h

Index: src/heap/heap-inl.h
diff --git a/src/heap/heap-inl.h b/src/heap/heap-inl.h
index a12c6d031c389310a6be506245cb929b4efec413..f746bcb299eedc702312c5b41cc881a7293295da 100644
--- a/src/heap/heap-inl.h
+++ b/src/heap/heap-inl.h
@@ -479,13 +479,12 @@ void Heap::CopyBlock(Address dst, Address src, int byte_size) {
 
 template <Heap::FindMementoMode mode>
 AllocationMemento* Heap::FindAllocationMemento(HeapObject* object) {
-  // Check if there is potentially a memento behind the object. If
-  // the last word of the memento is on another page we return
-  // immediately.
   Address object_address = object->address();
   Address memento_address = object_address + object->Size();
   Address last_memento_word_address = memento_address + kPointerSize;
-  if (!Page::OnSamePage(object_address, last_memento_word_address)) {
+  Page* object_page = Page::FromAddress(object_address);
+  // If the memento would be on another page, bail out immediately.
+  if ((object_page != Page::FromAddress(last_memento_word_address))) {

[Hannes Payer (out of office), 2016/07/27 08:34:34]

Can you leave the original check unchanged?

[Michael Lippautz, 2016/07/27 11:12:07]

Done.

     return nullptr;
   }
   HeapObject* candidate = HeapObject::FromAddress(memento_address);
@@ -497,6 +496,13 @@ AllocationMemento* Heap::FindAllocationMemento(HeapObject* object) {
   if (candidate_map != allocation_memento_map()) {
     return nullptr;
   }
+
+  // If the memento is below the age mark, which can happen when mementos
+  // survived because a page got moved within new space, bail out.
+  if (object_page->IsFlagSet(MemoryChunk::NEW_SPACE_BELOW_AGE_MARK)) {
+    return nullptr;
+  }
+
   AllocationMemento* memento_candidate = AllocationMemento::cast(candidate);
 
   // Depending on what the memento is used for, we might need to perform