[heap] Color object black on unsafe layout change.

src/heap/incremental-marking.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/heap/incremental-marking.h"
 
 #include "src/code-stubs.h"
 #include "src/compilation-cache.h"
 #include "src/conversions.h"
 #include "src/heap/concurrent-marking.h"
@@ skipping 119 matching lines @@
 }
 
 bool IncrementalMarking::WhiteToGreyAndPush(HeapObject* obj) {
   if (ObjectMarking::WhiteToGrey<kAtomicity>(obj, marking_state(obj))) {
     marking_deque()->Push(obj);
     return true;
   }
   return false;
 }
 
+void IncrementalMarking::MarkBlackAndPush(HeapObject* obj) {
+  MarkBit mark_bit = ObjectMarking::MarkBitFrom(obj, marking_state(obj));
+  // Color the object black and push it into the bailout deque.
+  Marking::WhiteToGrey<kAtomicity>(mark_bit);
+  if (Marking::GreyToBlack<kAtomicity>(mark_bit)) {
+#if V8_CONCURRENT_MARKING
+    marking_deque()->Push(obj, MarkingThread::kMain, TargetDeque::kBailout);
+#else
+    marking_deque()->Push(obj);
+#endif
+  }
+}
+
 void IncrementalMarking::TransferMark(Heap* heap, HeapObject* from,
                                       HeapObject* to) {
   DCHECK(MemoryChunk::FromAddress(from->address())->SweepingDone());
   // This is only used when resizing an object.
   DCHECK(MemoryChunk::FromAddress(from->address()) ==
          MemoryChunk::FromAddress(to->address()));
 
   if (!IsMarking()) return;
 
   // If the mark doesn't move, we don't check the color of the object.
@@ skipping 708 matching lines @@
 }
 
 void IncrementalMarking::VisitObject(Map* map, HeapObject* obj, int size) {
 #if ENABLE_SLOW_DCHECKS
   MarkBit mark_bit = ObjectMarking::MarkBitFrom(obj, marking_state(obj));
   MemoryChunk* chunk = MemoryChunk::FromAddress(obj->address());
   SLOW_DCHECK(Marking::IsGrey<kAtomicity>(mark_bit) ||
               (chunk->IsFlagSet(MemoryChunk::HAS_PROGRESS_BAR) &&
                Marking::IsBlack<kAtomicity>(mark_bit)));
 #endif
-  if (ObjectMarking::GreyToBlack<kAtomicity>(obj, marking_state(obj))) {
-    WhiteToGreyAndPush(map);
-    IncrementalMarkingMarkingVisitor::IterateBody(map, obj);
-  } else if (IsFixedArrayWithProgressBar(obj)) {
-    DCHECK(ObjectMarking::IsBlack<kAtomicity>(obj, marking_state(obj)));
-    IncrementalMarkingMarkingVisitor::VisitFixedArrayIncremental(map, obj);
+  // The object can already be black in two cases:
+  // 1. The object is a fixed array with the progress bar.
+  // 2. The object is a JSObject that was colored black before

[Hannes Payer (out of office), 2017/05/10 20:37:45]

Don't you want to bail out for black JSObjects?

[ulan, 2017/05/11 10:37:24]

As discussed offline we now have to handle black JSObject on the main thread
because they are colored black on layout change and pushed into the bailout
queue.

+  //    unsafe layout change.
+  if (!ObjectMarking::GreyToBlack<kAtomicity>(obj, marking_state(obj))) {
+    DCHECK(IsFixedArrayWithProgressBar(obj) || obj->IsJSObject());
   }
+  DCHECK(ObjectMarking::IsBlack<kAtomicity>(obj, marking_state(obj)));
+  WhiteToGreyAndPush(map);
+  IncrementalMarkingMarkingVisitor::IterateBody(map, obj);
 }
 
 intptr_t IncrementalMarking::ProcessMarkingDeque(
     intptr_t bytes_to_process, ForceCompletionAction completion) {
   intptr_t bytes_processed = 0;
   while (!marking_deque()->IsEmpty() && (bytes_processed < bytes_to_process ||
                                          completion == FORCE_COMPLETION)) {
     HeapObject* obj = marking_deque()->Pop();
 
     // Left trimming may result in white, grey, or black filler objects on the
@@ skipping 332 matching lines @@
   idle_marking_delay_counter_++;
 }
 
 
 void IncrementalMarking::ClearIdleMarkingDelayCounter() {
   idle_marking_delay_counter_ = 0;
 }
 
 }  // namespace internal
 }  // namespace v8