[heap] Make LiveObjectIterator concurrency safe

LiveObjectIterator sometimes runs concurrently to the main thread. In this scenarios we are not allowed to access memory of live objects in non-atomic ways. Use synchronized reads where needed. Correctness (already ok in current state): - Reading a larger size is fine per definition. - Reading a smaller size is fine since are guaranteed that one word fillers will follow. BUG=v8:5583 R=ulan@chromium.org,hpayer@chromium.org Review-Url: https://codereview.chromium.org/2477823003 Cr-Commit-Position: refs/heads/master@{#40798}
2016-11-07 03:11:09 -08:00 · 2016-11-07 03:11:09 -08:00 · 142d4f97c0
commit 142d4f97c0
parent 072ea0c836
2 changed files with 8 additions and 4 deletions
--- a/src/heap/mark-compact-inl.h
+++ b/src/heap/mark-compact-inl.h
@ -163,12 +163,14 @@ HeapObject* LiveObjectIterator<T>::Next() {
        current_cell_ = *it_.CurrentCell();
      }

+      Map* map = nullptr;
      if (current_cell_ & second_bit_index) {
        // We found a black object. If the black object is within a black area,
        // make sure that we skip all set bits in the black area until the
        // object ends.
        HeapObject* black_object = HeapObject::FromAddress(addr);
-        Address end = addr + black_object->Size() - kPointerSize;
+        map = base::NoBarrierAtomicValue<Map*>::FromAddress(addr)->Value();
+        Address end = addr + black_object->SizeFromMap(map) - kPointerSize;
        // One word filler objects do not borrow the second mark bit. We have
        // to jump over the advancing and clearing part.
        // Note that we know that we are at a one word filler when
@ -198,9 +200,9 @@ HeapObject* LiveObjectIterator<T>::Next() {

      // We found a live object.
      if (object != nullptr) {
-        if (object->IsFiller()) {
-          // Black areas together with slack tracking may result in black filler
-          // objects. We filter these objects out in the iterator.
+        if (map != nullptr && map == heap()->one_pointer_filler_map()) {
+          // Black areas together with slack tracking may result in black one
+          // word filler objects. We filter these objects out in the iterator.
          object = nullptr;
        } else {
          break;
--- a/src/heap/mark-compact.h
+++ b/src/heap/mark-compact.h
@ -321,6 +321,8 @@ class LiveObjectIterator BASE_EMBEDDED {
  HeapObject* Next();

 private:
+  inline Heap* heap() { return chunk_->heap(); }
+
  MemoryChunk* chunk_;
  MarkBitCellIterator it_;
  Address cell_base_;