[heap] Fix inner pointer resolution for large objects

Inner pointer resolution should never return free space or filler objects. In some tests, however, there is free space or filler objects in large pages. This CL fixes this case. Bug: v8:13257 Change-Id: Id5b4875052843184cbe1777e3324e5b09771af49 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4069704 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org> Cr-Commit-Position: refs/heads/main@{#84709}
2022-12-07 15:47:39 +01:00 · 2022-12-07 15:47:39 +01:00 · aa89f8873f
commit aa89f8873f
parent d3b3ac4bfd
1 changed files with 7 additions and 1 deletions
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@ -2223,7 +2223,13 @@ Address MarkCompactCollector::FindBasePtrForMarking(Address maybe_inner_ptr) {
  if (chunk == nullptr) return kNullAddress;
  DCHECK(chunk->Contains(maybe_inner_ptr));
  // If it is contained in a large page, we want to mark the only object on it.
-  if (chunk->IsLargePage()) return chunk->area_start();
+  if (chunk->IsLargePage()) {
+    // This could be simplified if we could guarantee that there are no free
+    // space or filler objects in large pages. A few cctests violate this now.
+    HeapObject obj(static_cast<const LargePage*>(chunk)->GetObject());
+    PtrComprCageBase cage_base{chunk->heap()->isolate()};
+    return obj.IsFreeSpaceOrFiller(cage_base) ? kNullAddress : obj.address();
+  }
  // Otherwise, we have a pointer inside a normal page.
  const Page* page = static_cast<const Page*>(chunk);
  // If it is in the young generation "from" semispace, it is not used and we