Recorded slots in store buffer are never in free space. Remove migration consistency check.

src/heap/heap.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/accessors.h"
 #include "src/api.h"
 #include "src/base/bits.h"
 #include "src/base/once.h"
@@ skipping 2100 matching lines @@
     if (allocation.To(&target)) {
       // Order is important here: Set the promotion limit before storing a
       // filler for double alignment or migrating the object. Otherwise we
       // may end up overwriting promotion queue entries when we migrate the
       // object.
       heap->promotion_queue()->SetNewLimit(heap->new_space()->top());
 
       if (alignment != kObjectAlignment) {
         target = EnsureDoubleAligned(heap, target, allocation_size);
       }
+      MigrateObject(heap, object, target, object_size);
 
-      // Order is important: slot might be inside of the target if target
-      // was allocated over a dead object and slot comes from the store
-      // buffer.
+      // Update slot to new target.
       *slot = target;
-      MigrateObject(heap, object, target, object_size);
 
       heap->IncrementSemiSpaceCopiedObjectSize(object_size);
       return true;
     }
     return false;
   }
 
 
   template <ObjectContents object_contents, int alignment>
   static inline bool PromoteObject(Map* map, HeapObject** slot,
@@ skipping 13 matching lines @@
     } else {
       DCHECK(heap->AllowedToBeMigrated(object, OLD_POINTER_SPACE));
       allocation = heap->old_pointer_space()->AllocateRaw(allocation_size);
     }
 
     HeapObject* target = NULL;  // Initialization to please compiler.
     if (allocation.To(&target)) {
       if (alignment != kObjectAlignment) {
         target = EnsureDoubleAligned(heap, target, allocation_size);
       }
+      MigrateObject(heap, object, target, object_size);
 
-      // Order is important: slot might be inside of the target if target
-      // was allocated over a dead object and slot comes from the store
-      // buffer.
-
-      // Unfortunately, the allocation can also write over the slot if the slot
-      // was in free space and the allocation wrote free list data (such as the
-      // free list map or entry size) over the slot.  We guard against this by
-      // checking that the slot still points to the object being moved.  This
-      // should be sufficient because neither the free list map nor the free
-      // list entry size should look like a new space pointer (the former is an
-      // old space pointer, the latter is word-aligned).
-      if (*slot == object) {
-        *slot = target;
-      }
-      MigrateObject(heap, object, target, object_size);
+      // Update slot to new target.
+      *slot = target;
 
       if (object_contents == POINTER_OBJECT) {
         if (map->instance_type() == JS_FUNCTION_TYPE) {
           heap->promotion_queue()->insert(target,
                                           JSFunction::kNonWeakFieldsEndOffset);
         } else {
           heap->promotion_queue()->insert(target, object_size);
         }
       }
       heap->IncrementPromotedObjectsSize(object_size);
@@ skipping 4359 matching lines @@
       static_cast<int>(object_sizes_last_time_[index]));
   CODE_AGE_LIST_COMPLETE(ADJUST_LAST_TIME_OBJECT_COUNT)
 #undef ADJUST_LAST_TIME_OBJECT_COUNT
 
   MemCopy(object_counts_last_time_, object_counts_, sizeof(object_counts_));
   MemCopy(object_sizes_last_time_, object_sizes_, sizeof(object_sizes_));
   ClearObjectStats();
 }
 }
 }  // namespace v8::internal