review.tizen.org Git - platform/upstream/v8.git/commit

author	ulan@chromium.org <ulan@chromium.org>
	Fri, 31 Oct 2014 13:11:30 +0000 (13:11 +0000)
committer	ulan@chromium.org <ulan@chromium.org>
	Fri, 31 Oct 2014 13:11:44 +0000 (13:11 +0000)
commit	de672226c7554213221ffe5a049733bad6a68e90
tree	89cb0d7789e167d010f1bdf6dd9e727fbeb885db	tree \| snapshot
parent	1bb79539f3c9f006fe0f5b886c053c0e6acb55a5	commit \| diff

Clear old backing store of WeakCollection on updates.

Not clearing can lead to a crash under following conditions:
1. Backing store of a weak map is allocated in large object space.
2. The backing store is marked incrementaly via the weak map.
3. The weak map is updated and gets a new backing store.
4. The store buffer overflows and marks the chunk of the old backing store as
"scan on scavenge."
5. Mark-compact collection kills some elements of the weak map. Note that the
old backing store survives because it was marked incrementally, but its dead
elements are not cleared.
6. Scavenger iterates over the old backing store, tries to move a dead object
and crashes.

BUG=v8:3631
LOG=N
TEST=cctest/test-heap/Regress3631
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/686783003

Cr-Commit-Position: refs/heads/master@{#25032}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25032 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/runtime/runtime-collections.cc		diff \| blob \| history
test/cctest/test-heap.cc		diff \| blob \| history