Remove slots that point to unboxed doubles from the StoreBuffer/SlotsBuffer.

src/objects.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <iomanip>
 #include <sstream>
 
 #include "src/v8.h"
 
 #include "src/accessors.h"
@@ skipping 1898 matching lines @@
     // For slow-to-fast migrations JSObject::TransformToFastProperties()
     // must be used instead.
     CHECK(new_map->is_dictionary_map());
 
     // Slow-to-slow migration is trivial.
     object->set_map(*new_map);
   }
 }
 
 
+// Returns true if during migration from |old_map| to |new_map| "tagged"
+// inobject fields are going to be replaced with unboxed double fields.
+static bool ShouldClearSlotsRecorded(Map* old_map, Map* new_map,
+                                     int new_number_of_fields) {
+  DisallowHeapAllocation no_gc;
+  int inobject = new_map->inobject_properties();
+  DCHECK(inobject <= old_map->inobject_properties());
+
+  int limit = Min(inobject, new_number_of_fields);
+  for (int i = 0; i < limit; i++) {
+    FieldIndex index = FieldIndex::ForPropertyIndex(new_map, i);
+    if (new_map->IsUnboxedDoubleField(index) &&
+        !old_map->IsUnboxedDoubleField(index)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+
+static void RemoveOldToOldSlotsRecorded(Heap* heap, JSObject* object,
+                                        FieldIndex index) {
+  DisallowHeapAllocation no_gc;
+
+  Object* old_value = object->RawFastPropertyAt(index);
+  if (old_value->IsHeapObject()) {
+    HeapObject* ho = HeapObject::cast(old_value);
+    if (heap->InNewSpace(ho)) {
+      // At this point there must be no old-to-new slots recorded for this
+      // object.
+      SLOW_DCHECK(
+          !heap->store_buffer()->CellIsInStoreBuffer(reinterpret_cast<Address>(
+              HeapObject::RawField(object, index.offset()))));
+    } else {
+      Page* p = Page::FromAddress(reinterpret_cast<Address>(ho));
+      if (p->IsEvacuationCandidate()) {
+        Object** slot = HeapObject::RawField(object, index.offset());
+        SlotsBuffer::RemoveSlot(p->slots_buffer(), slot);
+      }
+    }
+  }
+}
+
+
 // To migrate a fast instance to a fast map:
 // - First check whether the instance needs to be rewritten. If not, simply
 //   change the map.
 // - Otherwise, allocate a fixed array large enough to hold all fields, in
 //   addition to unused space.
 // - Copy all existing properties in, in the following order: backing store
 //   properties, unused fields, inobject properties.
 // - If all allocation succeeded, commit the state atomically:
 //   * Copy inobject properties from the backing store back into the object.
 //   * Trim the difference in instance size of the object. This also cleanly
@@ skipping 133 matching lines @@
       value = isolate->factory()->uninitialized_value();
     }
     int target_index = new_descriptors->GetFieldIndex(i) - inobject;
     if (target_index < 0) target_index += total_size;
     array->set(target_index, *value);
   }
 
   // From here on we cannot fail and we shouldn't GC anymore.
   DisallowHeapAllocation no_allocation;
 
+  Heap* heap = isolate->heap();
+
+  // If we are going to put an unboxed double to the field that used to
+  // contain HeapObject we should ensure that this slot is removed from
+  // both StoreBuffer or respective SlotsBuffer.

[Hannes Payer (out of office), 2015/03/03 09:48:53]

"or respective" => "and"

[Igor Sheludko, 2015/03/04 14:54:20]

Done.

+  bool clear_slots_recorded =
+      FLAG_unbox_double_fields && !heap->InNewSpace(object->address()) &&
+      ShouldClearSlotsRecorded(*old_map, *new_map, number_of_fields);
+  if (clear_slots_recorded) {
+    Address obj_address = object->address();
+    Address end_address = obj_address + old_map->instance_size();

[Hannes Payer (out of office), 2015/03/03 09:48:53]

Why are you removing all the pointers?

[Igor Sheludko, 2015/03/04 14:54:20]

Because in the next loop all the values will be written again and correct slots
will be added to respective store/slots buffer.

+    heap->store_buffer()->RemoveSlots(obj_address, end_address);
+  }
+
   // Copy (real) inobject properties. If necessary, stop at number_of_fields to
   // avoid overwriting |one_pointer_filler_map|.
   int limit = Min(inobject, number_of_fields);
   for (int i = 0; i < limit; i++) {
     FieldIndex index = FieldIndex::ForPropertyIndex(*new_map, i);
     Object* value = array->get(external + i);
-    // Can't use JSObject::FastPropertyAtPut() because proper map was not set
-    // yet.
     if (new_map->IsUnboxedDoubleField(index)) {
       DCHECK(value->IsMutableHeapNumber());
+      if (clear_slots_recorded && !old_map->IsUnboxedDoubleField(index)) {
+        RemoveOldToOldSlotsRecorded(heap, *object, index);
+      }
       object->RawFastDoublePropertyAtPut(index,
                                          HeapNumber::cast(value)->value());
     } else {
       object->RawFastPropertyAtPut(index, value);
     }
   }
 
-  Heap* heap = isolate->heap();
-
   // If there are properties in the new backing store, trim it to the correct
   // size and install the backing store into the object.
   if (external > 0) {
     heap->RightTrimFixedArray<Heap::FROM_MUTATOR>(*array, inobject);
     object->set_properties(*array);
   }
 
   // Create filler object past the new instance size.
   int new_instance_size = new_map->instance_size();
   int instance_size_delta = old_map->instance_size() - new_instance_size;
@@ skipping 15056 matching lines @@
                                                CompilationInfo* info) {
   Handle<DependentCode> codes = DependentCode::InsertCompilationInfo(
       handle(cell->dependent_code(), info->isolate()),
       DependentCode::kPropertyCellChangedGroup, info->object_wrapper());
   if (*codes != cell->dependent_code()) cell->set_dependent_code(*codes);
   info->dependencies(DependentCode::kPropertyCellChangedGroup)->Add(
       cell, info->zone());
 }
 
 } }  // namespace v8::internal