deps: backport d800a65 from V8 upstream

MylesBorins · MylesBorins · commit 8bd3d83e0164 · 2017-01-31T20:04:27.000-05:00
This backport does not include the original changes to SLOW_DCHECK as it does not exist in the V8 in node v4.x Original commit message: Filter out stale left-trimmed handles BUG=chromium:620553 LOG=N R=jochen@chromium.org Review-Url: https://codereview.chromium.org/2078403002 Cr-Commit-Position: refs/heads/master@{#37108} PR-URL: #10668 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
diff --git a/deps/v8/src/heap/mark-compact.cc b/deps/v8/src/heap/mark-compact.cc
@@ -1648,8 +1648,34 @@ class RootMarkingVisitor : public ObjectVisitor {
   void MarkObjectByPointer(Object** p) {
     if (!(*p)->IsHeapObject()) return;
 
-    // Replace flat cons strings in place.
     HeapObject* object = ShortCircuitConsString(p);
+
+    // We cannot avoid stale handles to left-trimmed objects, but can only make
+    // sure all handles still needed are updated. Filter out any stale pointers
+    // and clear the slot to allow post processing of handles (needed because
+    // the sweeper might actually free the underlying page).
+    if (object->IsFiller()) {
+#ifdef DEBUG
+      // We need to find a FixedArrayBase map after walking the fillers.
+      Heap* heap = collector_->heap();
+      HeapObject* current = object;
+      while (current->IsFiller()) {
+        Address next = reinterpret_cast<Address>(current);
+        if (current->map() == heap->one_pointer_filler_map()) {
+          next += kPointerSize;
+        } else if (current->map() == heap->two_pointer_filler_map()) {
+          next += 2 * kPointerSize;
+        } else {
+          next += current->Size();
+        }
+        current = reinterpret_cast<HeapObject*>(next);
+      }
+      DCHECK(current->IsFixedArrayBase());
+#endif  // DEBUG
+      *p = nullptr;
+      return;
+    }
+
     MarkBit mark_bit = Marking::MarkBitFrom(object);
     if (Marking::IsBlackOrGrey(mark_bit)) return;
 
diff --git a/deps/v8/test/mjsunit/regress/regress-620553.js b/deps/v8/test/mjsunit/regress/regress-620553.js
@@ -0,0 +1,17 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+var o0 = [];
+var o1 = [];
+var cnt = 0;
+o1.__defineGetter__(0, function() {
+  if (cnt++ > 2) return;
+  o0.shift();
+  gc();
+  o0.push(0);
+  o0.concat(o1);
+});
+o1[0];
