[heap] Fix forwarding pointer race between sweeper threads and pointer updating threads.

src/heap/mark-compact.cc

Index: src/heap/mark-compact.cc
diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
index 78bafce3d6fc52d9c871eb2286df5e6970ed74f6..4e7f0dfeec9a51b75ca8c7d8d38c18ffc5bfeca4 100644
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -3639,7 +3639,10 @@ class PointerUpdateJobTraits {
       MapWord map_word = heap_object->map_word();
       // There could still be stale pointers in large object space, map space,
       // and old space for pages that have been promoted.
-      if (map_word.IsForwardingAddress()) {
+      // A sweeper thread may concurrently write a size value which looks like
+      // a forwarding pointer. We have to ignore these values.
+      if (map_word.IsForwardingAddress() &&
+          map_word.ToRawValue() >= Page::kPageSize) {

[ulan, 2016/10/12 12:18:10]

I think we need to return REMOVE_SLOT if map_word.ToRawValue() < Page::kPageSize

otherwise we will crash below when checking for InToSpace.

[ulan, 2016/10/12 12:21:10]

Nevermind, this works because InToSpace checks for Smi.

[Hannes Payer (out of office), 2016/10/12 12:31:51]

Yes, however I changed it to early bailout. The code is easier to read then.

         // Update the corresponding slot.
         *slot = map_word.ToForwardingAddress();
       }