Google Git
Sign in
chromium / v8 / v8 / d4fc4a8cad0a8f94ea2a8bca7c76cebd8793395c
commitd4fc4a8cad0a8f94ea2a8bca7c76cebd8793395c[log] [tgz]
authormlippautz <mlippautz@chromium.org>Wed Dec 02 11:43:32 2015
committerCommit bot <commit-bot@chromium.org>Wed Dec 02 11:43:42 2015
tree0256ae3f5de496783a1819f2f23db0538eaef947
parent09032dade4d062664d497f7e1b0922275c3ad7dc [diff]
Revert of [heap] Clean up stale store buffer entries for aborted pages. (patchset #4 id:60001 of https://codereview.chromium.org/1493653002/ )

Reason for revert:
Not completely correct fix.

Original issue's description:
> [heap] Clean up stale store buffer entries for aborted pages.
>
> 1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
>     store buffer.
> 3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4.  The current mark-sweep finishes. The slot X is in free space and is also in
>     the store buffer.
> 5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
>     looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
>     previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
>     object before.
> 6.  Scavenge happens.
> 7.  Slot X is still in free space and in store buffer. [It causes scavenge of
>     the object Y in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
>     it is not important].
> 8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
>     is written in X.
> 9.  The scavenge finishes.
> 9.  Another scavenge starts.
> 10. We crash in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
>     processing slot X, because it doesn't point to valid map.
>
> BUG=chromium:524425,chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572
> Cr-Commit-Position: refs/heads/master@{#32495}

TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425,chromium:564498

Review URL: https://codereview.chromium.org/1489243004

Cr-Commit-Position: refs/heads/master@{#32504}
2 files changed
tree: 0256ae3f5de496783a1819f2f23db0538eaef947
  1. benchmarks/
  2. build/
  3. docs/
  4. include/
  5. infra/
  6. samples/
  7. src/
  8. test/
  9. testing/
  10. third_party/
  11. tools/
  12. .clang-format
  13. .gitignore
  14. .ycm_extra_conf.py
  15. AUTHORS
  16. BUILD.gn
  17. ChangeLog
  18. codereview.settings
  19. DEPS
  20. LICENSE
  21. LICENSE.strongtalk
  22. LICENSE.v8
  23. LICENSE.valgrind
  24. Makefile
  25. Makefile.android
  26. Makefile.nacl
  27. OWNERS
  28. PRESUBMIT.py
  29. README.md
  30. snapshot_toolchain.gni
  31. WATCHLISTS
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned on the V8 wiki.