From 23c15e495c6a8fc1b880c07fae9b89f9e681e459 Mon Sep 17 00:00:00 2001 From: "vegorov@chromium.org" Date: Tue, 29 Nov 2011 10:02:38 +0000 Subject: [PATCH] When scavenging update source slot before migrating object it points to. Source slot might belong to a dead old object and we might allocate a new object over it when evacuating a new space object this slot points to. In this case if we update slot after migrating object we will write into migrated object. R=erik.corry@gmail.com Review URL: http://codereview.chromium.org/8698022 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10082 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/heap.cc | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/heap.cc b/src/heap.cc index 5bb6410..34f5b8b 100644 --- a/src/heap.cc +++ b/src/heap.cc @@ -1486,10 +1486,10 @@ class ScavengingVisitor : public StaticVisitorBase { // Helper function used by CopyObject to copy a source object to an // allocated target object and update the forwarding pointer in the source // object. Returns the target object. - INLINE(static HeapObject* MigrateObject(Heap* heap, - HeapObject* source, - HeapObject* target, - int size)) { + INLINE(static void MigrateObject(Heap* heap, + HeapObject* source, + HeapObject* target, + int size)) { // Copy the content of source to target. heap->CopyBlock(target->address(), source->address(), size); @@ -1515,8 +1515,6 @@ class ScavengingVisitor : public StaticVisitorBase { MemoryChunk::IncrementLiveBytes(target->address(), size); } } - - return target; } template @@ -1547,7 +1545,12 @@ class ScavengingVisitor : public StaticVisitorBase { Object* result = NULL; // Initialization to please compiler. if (maybe_result->ToObject(&result)) { HeapObject* target = HeapObject::cast(result); - *slot = MigrateObject(heap, object , target, object_size); + + // Order is important: slot might be inside of the target if target + // was allocated over a dead object and slot comes from the store + // buffer. + *slot = target; + MigrateObject(heap, object, target, object_size); if (object_contents == POINTER_OBJECT) { heap->promotion_queue()->insert(target, object_size); @@ -1560,8 +1563,13 @@ class ScavengingVisitor : public StaticVisitorBase { MaybeObject* allocation = heap->new_space()->AllocateRaw(object_size); heap->promotion_queue()->SetNewLimit(heap->new_space()->top()); Object* result = allocation->ToObjectUnchecked(); + HeapObject* target = HeapObject::cast(result); - *slot = MigrateObject(heap, object, HeapObject::cast(result), object_size); + // Order is important: slot might be inside of the target if target + // was allocated over a dead object and slot comes from the store + // buffer. + *slot = target; + MigrateObject(heap, object, target, object_size); return; } -- 2.7.4