Google Git
Sign in
chromium / v8 / v8 / 719d23c032a5d92998505fb642a7afd361f3e3ea
commit719d23c032a5d92998505fb642a7afd361f3e3ea[log] [tgz]
authorUlan Degenbaev <ulan@chromium.org>Tue Aug 07 17:33:27 2018
committerCommit Bot <commit-bot@chromium.org>Tue Aug 07 18:19:58 2018
tree409e310453e0a341f92f5910f271267d3054c7b1
parentbbe8db594806ccf2ebc7b1b36f441687d1050f65 [diff]
Fix invalidation of old-to-old slots after object trimming.

A recorded old-to-old slot may be overwritten with a pointer to a new
space object. If the object containing the slot is trimmed later on,
then the mark-compactor may crash on a stale pointer to new space.

This patch ensures that:
1) On trimming of an object we add it to the invalidated_slots sets.
2) The InvalidatedSlotsFilter::IsValid returns false for slots outside
   the invalidated object unless the page was already swept.

Array left-trimming is handled as a special case because object start
moves and cannot be added to the invalidated set. Instead, we clear
the freed memory so that the recorded slots contain Smi values.

Bug: chromium:870226,chromium:816426
Change-Id: Iffc05a58fcf52ece45fdb085b5d1fd4b3acb5d53
Reviewed-on: https://chromium-review.googlesource.com/1163784
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54953}
9 files changed
tree: 409e310453e0a341f92f5910f271267d3054c7b1
  1. benchmarks/
  2. build_overrides/
  3. custom_deps/
  4. docs/
  5. gni/
  6. include/
  7. infra/
  8. samples/
  9. src/
  10. test/
  11. testing/
  12. third_party/
  13. tools/
  14. .clang-format
  15. .editorconfig
  16. .git-blame-ignore-revs
  17. .gitattributes
  18. .gitignore
  19. .gn
  20. .vpython
  21. .ycm_extra_conf.py
  22. AUTHORS
  23. BUILD.gn
  24. ChangeLog
  25. CODE_OF_CONDUCT.md
  26. codereview.settings
  27. DEPS
  28. LICENSE
  29. LICENSE.fdlibm
  30. LICENSE.strongtalk
  31. LICENSE.v8
  32. LICENSE.valgrind
  33. OWNERS
  34. PRESUBMIT.py
  35. README.md
  36. snapshot_toolchain.gni
  37. WATCHLISTS
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned on the V8 wiki.