Avoid stale store buffer entries after full GC by promoting objects referenced by the store buffer.

src/heap/mark-compact.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/base/atomicops.h"
 #include "src/base/bits.h"
 #include "src/code-stubs.h"
 #include "src/compilation-cache.h"
@@ skipping 1839 matching lines @@
     if (current_cell == 0) continue;
 
     int offset = 0;
     while (current_cell != 0) {
       int trailing_zeros = base::bits::CountTrailingZeros32(current_cell);
       current_cell >>= trailing_zeros;
       offset += trailing_zeros;
       Address address = cell_base + offset * kPointerSize;
       HeapObject* object = HeapObject::FromAddress(address);
 
+      offset++;
+      current_cell >>= 1;
+
+      MapWord map_word = object->map_word();
+      if (map_word.IsForwardingAddress()) {
+        printf("forwarded object found %p\n", address);
+        continue;
+      }
+
       int size = object->Size();
       survivors_size += size;
 
       Heap::UpdateAllocationSiteFeedback(object, Heap::RECORD_SCRATCHPAD_SLOT);
 
-      offset++;
-      current_cell >>= 1;
-
       // TODO(hpayer): Refactor EvacuateObject and call this function instead.
       if (heap()->ShouldBePromoted(object->address(), size) &&
           TryPromoteObject(object, size)) {
         continue;
       }
 
       AllocationResult allocation = new_space->AllocateRaw(size);
       if (allocation.IsRetry()) {
         if (!new_space->AddFreshPage()) {
           // Shouldn't happen. We are sweeping linearly, and to-space
@@ skipping 1055 matching lines @@
   // update garbage memory which was concurrently accessed by the sweeper.
   if (new_addr != NULL) {
     base::NoBarrier_CompareAndSwap(
         reinterpret_cast<base::AtomicWord*>(address),
         reinterpret_cast<base::AtomicWord>(object),
         reinterpret_cast<base::AtomicWord>(HeapObject::FromAddress(new_addr)));
   }
 }
 
 
+static void PromoteObjectReferencedFromStoreBuffer(HeapObject** address,
+                                                   HeapObject* object) {
+  Heap* heap = object->GetIsolate()->heap();
+  DCHECK(heap->InFromSpace(object));
+
+  // We use the first word (where the map pointer usually is) of a heap
+  // object to record the forwarding pointer.  A forwarding pointer can
+  // point to an old space, the code space, or the to space of the new
+  // generation.
+  MapWord first_word = object->map_word();
+
+  // If the first word is a forwarding address, the object has already been
+  // promoted to the old generation. There must have been a duplicate store
+  // buffer entry.
+  if (first_word.IsForwardingAddress()) {
+    DCHECK(!heap->InNewSpace(first_word.ToForwardingAddress()));
+    return;
+  }
+
+  if (!heap->mark_compact_collector()->TryPromoteObject(object,
+                                                        object->Size())) {
+    V8::FatalProcessOutOfMemory("Store buffer promotion");
+  }
+}
+
+
 static String* UpdateReferenceInExternalStringTableEntry(Heap* heap,
                                                          Object** p) {
   MapWord map_word = HeapObject::cast(*p)->map_word();
 
   if (map_word.IsForwardingAddress()) {
     return String::cast(map_word.ToForwardingAddress());
   }
 
   return String::cast(*p);
 }
@@ skipping 31 matching lines @@
   Address from_bottom = new_space->bottom();
   Address from_top = new_space->top();
 
   // Flip the semispaces.  After flipping, to space is empty, from space has
   // live objects.
   new_space->Flip();
   new_space->ResetAllocationInfo();
 
   int survivors_size = 0;
 
+  {
+    StoreBufferRebuildScope scope(heap_, heap_->store_buffer(),
+                                  &Heap::ScavengeStoreBufferCallback);
+    heap_->store_buffer()->IteratePointersToNewSpace(
+        &PromoteObjectReferencedFromStoreBuffer);
+  }
+
   // First pass: traverse all objects in inactive semispace, remove marks,
   // migrate live objects and write forwarding addresses.  This stage puts
   // new entries in the store buffer and may cause some pages to be marked
   // scan-on-scavenge.
   NewSpacePageIterator it(from_bottom, from_top);
   while (it.has_next()) {
     NewSpacePage* p = it.next();
     survivors_size += DiscoverAndEvacuateBlackObjectsOnPage(new_space, p);
   }
 
@@ skipping 390 matching lines @@
     }
   }
   invalidated_code_.Rewind(0);
 }
 
 
 void MarkCompactCollector::EvacuateNewSpaceAndCandidates() {
   Heap::RelocationLock relocation_lock(heap());
 
   bool code_slots_filtering_required;
+
   {
     GCTracer::Scope gc_scope(heap()->tracer(),
                              GCTracer::Scope::MC_SWEEP_NEWSPACE);
     code_slots_filtering_required = MarkInvalidatedCode();
     EvacuateNewSpace();
   }
 
   {
     GCTracer::Scope gc_scope(heap()->tracer(),
                              GCTracer::Scope::MC_EVACUATE_PAGES);
@@ skipping 1016 matching lines @@
   SlotsBuffer* buffer = *buffer_address;
   while (buffer != NULL) {
     SlotsBuffer* next_buffer = buffer->next();
     DeallocateBuffer(buffer);
     buffer = next_buffer;
   }
   *buffer_address = NULL;
 }
 }
 }  // namespace v8::internal