When scavenging update source slot before migrating object it points to.

Source slot might belong to a dead old object and we might allocate a new object over it when evacuating a new space object this slot points to. In this case if we update slot after migrating object we will write into migrated object. R=erik.corry@gmail.com Review URL: http://codereview.chromium.org/8698022 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10082 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2011-11-29 10:02:38 +00:00 · 2011-11-29 10:02:38 +00:00 · 23c15e495c
commit 23c15e495c
parent e3eb71e991
1 changed files with 16 additions and 8 deletions
--- a/src/heap.cc
+++ b/src/heap.cc
@ -1486,10 +1486,10 @@ class ScavengingVisitor : public StaticVisitorBase {
  // Helper function used by CopyObject to copy a source object to an
  // allocated target object and update the forwarding pointer in the source
  // object.  Returns the target object.
-  INLINE(static HeapObject* MigrateObject(Heap* heap,
-                                          HeapObject* source,
-                                          HeapObject* target,
-                                          int size)) {
+  INLINE(static void MigrateObject(Heap* heap,
+                                   HeapObject* source,
+                                   HeapObject* target,
+                                   int size)) {
    // Copy the content of source to target.
    heap->CopyBlock(target->address(), source->address(), size);

@ -1515,8 +1515,6 @@ class ScavengingVisitor : public StaticVisitorBase {
        MemoryChunk::IncrementLiveBytes(target->address(), size);
      }
    }
-
-    return target;
  }

  template<ObjectContents object_contents, SizeRestriction size_restriction>
@ -1547,7 +1545,12 @@ class ScavengingVisitor : public StaticVisitorBase {
      Object* result = NULL;  // Initialization to please compiler.
      if (maybe_result->ToObject(&result)) {
        HeapObject* target = HeapObject::cast(result);
-        *slot = MigrateObject(heap, object , target, object_size);
+
+        // Order is important: slot might be inside of the target if target
+        // was allocated over a dead object and slot comes from the store
+        // buffer.
+        *slot = target;
+        MigrateObject(heap, object, target, object_size);

        if (object_contents == POINTER_OBJECT) {
          heap->promotion_queue()->insert(target, object_size);
@ -1560,8 +1563,13 @@ class ScavengingVisitor : public StaticVisitorBase {
    MaybeObject* allocation = heap->new_space()->AllocateRaw(object_size);
    heap->promotion_queue()->SetNewLimit(heap->new_space()->top());
    Object* result = allocation->ToObjectUnchecked();
+    HeapObject* target = HeapObject::cast(result);

-    *slot = MigrateObject(heap, object, HeapObject::cast(result), object_size);
+    // Order is important: slot might be inside of the target if target
+    // was allocated over a dead object and slot comes from the store
+    // buffer.
+    *slot = target;
+    MigrateObject(heap, object, target, object_size);
    return;
  }