[v8-dev] [v8] r10082 committed - When scavenging update source slot before migrating object it points t...

Tue, 29 Nov 2011 02:02:59 -0800 

Revision: 10082
Author:   vego...@chromium.org
Date:     Tue Nov 29 02:02:38 2011
Log: When scavenging update source slot before migrating object it points to. 


Source slot might belong to a dead old object and we might allocate a new  
object over it when evacuating a new space object this slot points to. In  
this case if we update slot after migrating object we will write into  
migrated object.


R=erik.co...@gmail.com

Review URL: http://codereview.chromium.org/8698022
http://code.google.com/p/v8/source/detail?r=10082

Modified:
 /branches/bleeding_edge/src/heap.cc

=======================================
--- /branches/bleeding_edge/src/heap.cc Fri Nov 25 06:41:38 2011
+++ /branches/bleeding_edge/src/heap.cc Tue Nov 29 02:02:38 2011
@@ -1486,10 +1486,10 @@
   // Helper function used by CopyObject to copy a source object to an

   // allocated target object and update the forwarding pointer in the  
source

   // object.  Returns the target object.
-  INLINE(static HeapObject* MigrateObject(Heap* heap,
-                                          HeapObject* source,
-                                          HeapObject* target,
-                                          int size)) {
+  INLINE(static void MigrateObject(Heap* heap,
+                                   HeapObject* source,
+                                   HeapObject* target,
+                                   int size)) {
     // Copy the content of source to target.
     heap->CopyBlock(target->address(), source->address(), size);

@@ -1515,8 +1515,6 @@
         MemoryChunk::IncrementLiveBytes(target->address(), size);
       }
     }
-
-    return target;
   }


   template<ObjectContents object_contents, SizeRestriction  
size_restriction>

@@ -1547,7 +1545,12 @@
       Object* result = NULL;  // Initialization to please compiler.
       if (maybe_result->ToObject(&result)) {
         HeapObject* target = HeapObject::cast(result);
-        *slot = MigrateObject(heap, object , target, object_size);
+
+        // Order is important: slot might be inside of the target if target
+        // was allocated over a dead object and slot comes from the store
+        // buffer.
+        *slot = target;
+        MigrateObject(heap, object, target, object_size);

         if (object_contents == POINTER_OBJECT) {
           heap->promotion_queue()->insert(target, object_size);
@@ -1560,8 +1563,13 @@
     MaybeObject* allocation = heap->new_space()->AllocateRaw(object_size);
     heap->promotion_queue()->SetNewLimit(heap->new_space()->top());
     Object* result = allocation->ToObjectUnchecked();
-

-    *slot = MigrateObject(heap, object, HeapObject::cast(result),  
object_size);

+    HeapObject* target = HeapObject::cast(result);
+
+    // Order is important: slot might be inside of the target if target
+    // was allocated over a dead object and slot comes from the store
+    // buffer.
+    *slot = target;
+    MigrateObject(heap, object, target, object_size);
     return;
   }

--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev














    











					Reply via email to