From 1084ead1d932ed11cfb6166dd1c03695b04f6066 Mon Sep 17 00:00:00 2001
From: "mstarzinger@chromium.org"
 <mstarzinger@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 28 May 2014 11:17:02 +0000
Subject: [PATCH] Fix processing of partially initialized JSWeakCollection.

R=hpayer@chromium.org
BUG=v8:2070
LOG=N

Review URL: https://codereview.chromium.org/300843009

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21563 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/mark-compact.cc        | 41 ++++++++++++++++++++++-------------------
 src/objects-visiting-inl.h |  3 ++-
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/src/mark-compact.cc b/src/mark-compact.cc
index 3d1af7c..e13a974 100644
--- a/src/mark-compact.cc
+++ b/src/mark-compact.cc
@@ -2740,21 +2740,22 @@ void MarkCompactCollector::ProcessWeakCollections() {
   GCTracer::Scope gc_scope(tracer_, GCTracer::Scope::MC_WEAKCOLLECTION_PROCESS);
   Object* weak_collection_obj = encountered_weak_collections();
   while (weak_collection_obj != Smi::FromInt(0)) {
-    ASSERT(MarkCompactCollector::IsMarked(
-        HeapObject::cast(weak_collection_obj)));
     JSWeakCollection* weak_collection =
         reinterpret_cast<JSWeakCollection*>(weak_collection_obj);
-    ObjectHashTable* table = ObjectHashTable::cast(weak_collection->table());
-    Object** anchor = reinterpret_cast<Object**>(table->address());
-    for (int i = 0; i < table->Capacity(); i++) {
-      if (MarkCompactCollector::IsMarked(HeapObject::cast(table->KeyAt(i)))) {
-        Object** key_slot =
-            table->RawFieldOfElementAt(ObjectHashTable::EntryToIndex(i));
-        RecordSlot(anchor, key_slot, *key_slot);
-        Object** value_slot =
-            table->RawFieldOfElementAt(ObjectHashTable::EntryToValueIndex(i));
-        MarkCompactMarkingVisitor::MarkObjectByPointer(
-            this, anchor, value_slot);
+    ASSERT(MarkCompactCollector::IsMarked(weak_collection));
+    if (weak_collection->table()->IsHashTable()) {
+      ObjectHashTable* table = ObjectHashTable::cast(weak_collection->table());
+      Object** anchor = reinterpret_cast<Object**>(table->address());
+      for (int i = 0; i < table->Capacity(); i++) {
+        if (MarkCompactCollector::IsMarked(HeapObject::cast(table->KeyAt(i)))) {
+          Object** key_slot =
+              table->RawFieldOfElementAt(ObjectHashTable::EntryToIndex(i));
+          RecordSlot(anchor, key_slot, *key_slot);
+          Object** value_slot =
+              table->RawFieldOfElementAt(ObjectHashTable::EntryToValueIndex(i));
+          MarkCompactMarkingVisitor::MarkObjectByPointer(
+              this, anchor, value_slot);
+        }
       }
     }
     weak_collection_obj = weak_collection->next();
@@ -2766,14 +2767,16 @@ void MarkCompactCollector::ClearWeakCollections() {
   GCTracer::Scope gc_scope(tracer_, GCTracer::Scope::MC_WEAKCOLLECTION_CLEAR);
   Object* weak_collection_obj = encountered_weak_collections();
   while (weak_collection_obj != Smi::FromInt(0)) {
-    ASSERT(MarkCompactCollector::IsMarked(
-        HeapObject::cast(weak_collection_obj)));
     JSWeakCollection* weak_collection =
         reinterpret_cast<JSWeakCollection*>(weak_collection_obj);
-    ObjectHashTable* table = ObjectHashTable::cast(weak_collection->table());
-    for (int i = 0; i < table->Capacity(); i++) {
-      if (!MarkCompactCollector::IsMarked(HeapObject::cast(table->KeyAt(i)))) {
-        table->RemoveEntry(i);
+    ASSERT(MarkCompactCollector::IsMarked(weak_collection));
+    if (weak_collection->table()->IsHashTable()) {
+      ObjectHashTable* table = ObjectHashTable::cast(weak_collection->table());
+      for (int i = 0; i < table->Capacity(); i++) {
+        HeapObject* key = HeapObject::cast(table->KeyAt(i));
+        if (!MarkCompactCollector::IsMarked(key)) {
+          table->RemoveEntry(i);
+        }
       }
     }
     weak_collection_obj = weak_collection->next();
diff --git a/src/objects-visiting-inl.h b/src/objects-visiting-inl.h
index 65c93a2..057b8ae 100644
--- a/src/objects-visiting-inl.h
+++ b/src/objects-visiting-inl.h
@@ -404,7 +404,7 @@ void StaticMarkingVisitor<StaticVisitor>::VisitWeakCollection(
       reinterpret_cast<JSWeakCollection*>(object);
   MarkCompactCollector* collector = heap->mark_compact_collector();
 
-  // Enqueue weak map in linked list of encountered weak maps.
+  // Enqueue weak collection in linked list of encountered weak collections.
   if (weak_collection->next() == heap->undefined_value()) {
     weak_collection->set_next(collector->encountered_weak_collections());
     collector->set_encountered_weak_collections(weak_collection);
@@ -420,6 +420,7 @@ void StaticMarkingVisitor<StaticVisitor>::VisitWeakCollection(
   STATIC_ASSERT(JSWeakCollection::kNextOffset + kPointerSize ==
       JSWeakCollection::kSize);
 
+  // Partially initialized weak collection is enqueued, but table is ignored.
   if (!weak_collection->table()->IsHashTable()) return;
 
   // Mark the backing hash table without pushing it on the marking stack.
-- 
2.7.4