Fix code flusher disabling while marking incrementally.

This fixes a corner case where the code flusher is disabled while the
incremental marker is still running. This can happen when the debugger
is loaded and a scavenge is triggered. Make sure that all flushing
decisions are revisited after the candidates lists are evicted.

R=hpayer@chromium.org
BUG=chromium:173458,chromium:168582
TEST=cctest/test-heap/Regress173458

Review URL: https://codereview.chromium.org/12217108

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13641 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/mark-compact.cc

@@ -1104,17 +1104,14 @@ void CodeFlusher::EvictCandidate(JSFunction* function) {
 
 
 void CodeFlusher::EvictJSFunctionCandidates() {
-  Object* undefined = isolate_->heap()->undefined_value();
-
   JSFunction* candidate = jsfunction_candidates_head_;
   JSFunction* next_candidate;
   while (candidate != NULL) {
     next_candidate = GetNextCandidate(candidate);
-    ClearNextCandidate(candidate, undefined);
+    EvictCandidate(candidate);
     candidate = next_candidate;
   }
-
-  jsfunction_candidates_head_ = NULL;
+  ASSERT(jsfunction_candidates_head_ == NULL);
 }
 
 
@@ -1123,11 +1120,10 @@ void CodeFlusher::EvictSharedFunctionInfoCandidates() {
   SharedFunctionInfo* next_candidate;
   while (candidate != NULL) {
     next_candidate = GetNextCandidate(candidate);
-    ClearNextCandidate(candidate);
+    EvictCandidate(candidate);
     candidate = next_candidate;
   }
-
-  shared_function_info_candidates_head_ = NULL;
+  ASSERT(shared_function_info_candidates_head_ == NULL);
 }
 
 

test/cctest/test-heap.cc

@@ -2837,3 +2837,54 @@ TEST(Regress168801) {
   HEAP->CollectAllGarbage(Heap::kNoGCFlags);
   HEAP->CollectAllGarbage(Heap::kNoGCFlags);
 }
+
+
+TEST(Regress173458) {
+  i::FLAG_always_compact = true;
+  i::FLAG_cache_optimized_code = false;
+  i::FLAG_allow_natives_syntax = true;
+  i::FLAG_flush_code_incrementally = true;
+  InitializeVM();
+  v8::HandleScope scope;
+
+  // Perform one initial GC to enable code flushing.
+  HEAP->CollectAllGarbage(Heap::kAbortIncrementalMarkingMask);
+
+  // Ensure the code ends up on an evacuation candidate.
+  SimulateFullSpace(HEAP->code_space());
+
+  // Prepare an unoptimized function that is eligible for code flushing.
+  Handle<JSFunction> function;
+  {
+    HandleScope inner_scope;
+    CompileRun("function mkClosure() {"
+               "  return function(x) { return x + 1; };"
+               "}"
+               "var f = mkClosure();"
+               "f(1); f(2);");
+
+    Handle<JSFunction> f =
+        v8::Utils::OpenHandle(
+            *v8::Handle<v8::Function>::Cast(
+                v8::Context::GetCurrent()->Global()->Get(v8_str("f"))));
+    CHECK(f->is_compiled());
+    const int kAgingThreshold = 6;
+    for (int i = 0; i < kAgingThreshold; i++) {
+      f->shared()->code()->MakeOlder(static_cast<MarkingParity>(i % 2));
+    }
+
+    function = inner_scope.CloseAndEscape(handle(*f, ISOLATE));
+  }
+
+  // Simulate incremental marking so that unoptimized function is enqueued as a
+  // candidate for code flushing. The shared function info however will not be
+  // explicitly enqueued.
+  SimulateIncrementalMarking();
+
+  // Now enable the debugger which in turn will disable code flushing.
+  CHECK(ISOLATE->debug()->Load());
+
+  // This cycle will bust the heap and subsequent cycles will go ballistic.
+  HEAP->CollectAllGarbage(Heap::kNoGCFlags);
+  HEAP->CollectAllGarbage(Heap::kNoGCFlags);
+}