[heap] Make LiveObjectIterator concurrency safe

src/heap/mark-compact-inl.h

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef V8_HEAP_MARK_COMPACT_INL_H_
 #define V8_HEAP_MARK_COMPACT_INL_H_
 
 #include "src/heap/mark-compact.h"
 #include "src/heap/remembered-set.h"
 #include "src/isolate.h"
@@ skipping 145 matching lines @@
                  HeapObject::FromAddress(addr)
                      ->GetHeap()
                      ->one_pointer_filler_map());
           return nullptr;
         }
         it_.Advance();
         cell_base_ = it_.CurrentCellBase();
         current_cell_ = *it_.CurrentCell();
       }
 
+      Map* map = nullptr;
       if (current_cell_ & second_bit_index) {
         // We found a black object. If the black object is within a black area,
         // make sure that we skip all set bits in the black area until the
         // object ends.
         HeapObject* black_object = HeapObject::FromAddress(addr);
-        Address end = addr + black_object->Size() - kPointerSize;
+        map = black_object->synchronized_map();

[Hannes Payer (out of office), 2016/11/07 09:26:55]

Size() uses no barrier accessor. No need to synchronize here, however we can if
it is not a performance issue.

[Michael Lippautz, 2016/11/07 09:36:50]

Changed to NoBarrier read.

+        Address end = addr + black_object->SizeFromMap(map) - kPointerSize;
         // One word filler objects do not borrow the second mark bit. We have
         // to jump over the advancing and clearing part.
         // Note that we know that we are at a one word filler when
         // object_start + object_size - kPointerSize == object_start.
         if (addr != end) {
           DCHECK_EQ(chunk_, MemoryChunk::FromAddress(end));
           uint32_t end_mark_bit_index = chunk_->AddressToMarkbitIndex(end);
           unsigned int end_cell_index =
               end_mark_bit_index >> Bitmap::kBitsPerCellLog2;
           MarkBit::CellType end_index_mask =
               1u << Bitmap::IndexInCell(end_mark_bit_index);
           if (it_.Advance(end_cell_index)) {
             cell_base_ = it_.CurrentCellBase();
             current_cell_ = *it_.CurrentCell();
           }
 
           // Clear all bits in current_cell, including the end index.
           current_cell_ &= ~(end_index_mask + end_index_mask - 1);
         }
 
         if (T == kBlackObjects || T == kAllLiveObjects) {
           object = black_object;
         }
       } else if ((T == kGreyObjects || T == kAllLiveObjects)) {
         object = HeapObject::FromAddress(addr);
       }
 
       // We found a live object.
       if (object != nullptr) {
-        if (object->IsFiller()) {
-          // Black areas together with slack tracking may result in black filler
-          // objects. We filter these objects out in the iterator.
+        if (map == nullptr || map == heap()->one_pointer_filler_map()) {

[Hannes Payer (out of office), 2016/11/07 09:26:55]

How can map become nullptr?

[Michael Lippautz, 2016/11/07 09:36:50]

As discussed offline: This happens when we take the branch for gray objects.

+          // Black areas together with slack tracking may result in black one
+          // word filler objects. We filter these objects out in the iterator.
           object = nullptr;
         } else {
           break;
         }
       }
     }
 
     if (current_cell_ == 0) {
       if (!it_.Done()) {
         it_.Advance();
         cell_base_ = it_.CurrentCellBase();
         current_cell_ = *it_.CurrentCell();
       }
     }
     if (object != nullptr) return object;
   }
   return nullptr;
 }
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_HEAP_MARK_COMPACT_INL_H_