Handle store buffer slot overwrite during object promotion.
The bad scenario this fix handles:
We have a slot in a free list, then promote the object pointed-to by
the slot during scavenge. When allocating the space for the promoted
object, we overwrite the slot with the free list entry map if the
object is allocated just before the slot. After the allocation,
ScavengingVisitor::PromoteObject overwrites the slot with the
address of the allocated object, thus corrupting the free list.
Unfortunately, we do not have a way to construct a reliable repro
case because we would need to somehow craft a free list and store
buffer slot to be in the right configuration.
R=hpayer@chromium.org
BUG=
Review URL: https://codereview.chromium.org/
695213004
Cr-Commit-Position: refs/heads/master@{#25143}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25143
ce2b1a6d-e550-0410-aec6-
3dcde31c8c00
projects / platform / upstream / v8.git / commit