Fix clearing of dead dependent codes and verify weak embedded maps on full GC.

src/mark-compact.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 67 matching lines @@
     for (Object** current = start; current < end; current++) {
       if ((*current)->IsHeapObject()) {
         HeapObject* object = HeapObject::cast(*current);
         CHECK(HEAP->mark_compact_collector()->IsMarked(object));
       }
     }
   }
 
   void VisitEmbeddedPointer(RelocInfo* rinfo) {
     ASSERT(rinfo->rmode() == RelocInfo::EMBEDDED_OBJECT);
-    if (!FLAG_weak_embedded_maps_in_optimized_code ||
+    if (!FLAG_weak_embedded_maps_in_optimized_code || !FLAG_collect_maps ||
         rinfo->host()->kind() != Code::OPTIMIZED_FUNCTION ||
         !rinfo->target_object()->IsMap() ||
         !Map::cast(rinfo->target_object())->CanTransition()) {
       VisitPointer(rinfo->target_object_address());
     }
   }
 };
 
 
 static void VerifyMarking(Address bottom, Address top) {
@@ skipping 727 matching lines @@
     space->PrepareForMarkCompact();
   }
 
 #ifdef VERIFY_HEAP
   if (!was_marked_incrementally_ && FLAG_verify_heap) {
     VerifyMarkbitsAreClean();
   }
 #endif
 }
 
+#ifdef VERIFY_HEAP
+static void VerifyWeakEmbeddedMapsInOptimizedCode(Heap* heap) {

[Michael Starzinger, 2013/01/31 14:27:50]

Move this function up to the other verifiers at the top of the file.

[ulan, 2013/02/04 09:54:06]

Done.

+  HeapObjectIterator code_iterator(heap->code_space());
+  for (HeapObject* obj = code_iterator.Next();
+       obj != NULL;
+       obj = code_iterator.Next()) {
+    Code* code = Code::cast(obj);
+    if (code->kind() != Code::OPTIMIZED_FUNCTION) continue;
+    if (code->marked_for_deoptimization()) continue;
+    code->VerifyEmbeddedMaps();
+  }
+}
+#endif
+
 class DeoptimizeMarkedCodeFilter : public OptimizedFunctionFilter {
  public:
   virtual bool TakeFunction(JSFunction* function) {
     return function->code()->marked_for_deoptimization();
   }
 };
 
 
 void MarkCompactCollector::Finish() {
 #ifdef DEBUG
   ASSERT(state_ == SWEEP_SPACES || state_ == RELOCATE_OBJECTS);
   state_ = IDLE;
 #endif
   // The stub cache is not traversed during GC; clear the cache to
   // force lazy re-initialization of it. This must be done after the
   // GC, because it relies on the new address of certain old space
   // objects (empty string, illegal builtin).
   heap()->isolate()->stub_cache()->Clear();
 
+#ifdef VERIFY_HEAP
+  if (FLAG_collect_maps && FLAG_weak_embedded_maps_in_optimized_code &&

[Michael Starzinger, 2013/01/31 14:27:50]

Move this call into MarkCompactCollector::CollectGarbage() where the other
verifiers are called.

[ulan, 2013/02/04 09:54:06]

Done.

+      heap()->weak_embedded_maps_verification_enabled()) {
+    VerifyWeakEmbeddedMapsInOptimizedCode(heap());
+  }
+#endif
+
   DeoptimizeMarkedCodeFilter filter;
   Deoptimizer::DeoptimizeAllFunctionsWith(&filter);
 }
 
 
 // -------------------------------------------------------------------------
 // Phase 1: tracing and marking live objects.
 //   before: all objects are in normal state.
 //   after: a live object's map pointer is marked as '00'.
 
@@ skipping 1438 matching lines @@
   AssertNoAllocation no_allocation_scope;
   DependentCodes* codes = map->dependent_codes();
   int number_of_codes = codes->number_of_codes();
   if (number_of_codes == 0) return;
   int new_number_of_codes = 0;
   for (int i = 0; i < number_of_codes; i++) {
     Code* code = codes->code_at(i);
     if (IsMarked(code) && !code->marked_for_deoptimization()) {
       if (new_number_of_codes != i) {
         codes->set_code_at(new_number_of_codes, code);
-        Object** slot = codes->code_slot_at(new_number_of_codes);
-        RecordSlot(slot, slot, code);
-        new_number_of_codes++;
       }
+      Object** slot = codes->code_slot_at(new_number_of_codes);

[ulan, 2013/01/29 15:02:58]

This was the bug that lead to crashes.

[Michael Starzinger, 2013/01/31 14:27:50]

Ouch, nice catch, I should have seen that in my initial review.

+      RecordSlot(slot, slot, code);
+      new_number_of_codes++;
     }
   }
   for (int i = new_number_of_codes; i < number_of_codes; i++) {
     codes->clear_code_at(i);
   }
   codes->set_number_of_codes(new_number_of_codes);
+  number_of_codes = codes->number_of_codes();

[Michael Starzinger, 2013/01/31 14:27:50]

This call seems to be obsolete.

[ulan, 2013/02/04 09:54:06]

Done.

 }
 
 
 void MarkCompactCollector::ProcessWeakMaps() {
   Object* weak_map_obj = encountered_weak_maps();
   while (weak_map_obj != Smi::FromInt(0)) {
     ASSERT(MarkCompactCollector::IsMarked(HeapObject::cast(weak_map_obj)));
     JSWeakMap* weak_map = reinterpret_cast<JSWeakMap*>(weak_map_obj);
     ObjectHashTable* table = ObjectHashTable::cast(weak_map->table());
     Object** anchor = reinterpret_cast<Object**>(table->address());
@@ skipping 1578 matching lines @@
   while (buffer != NULL) {
     SlotsBuffer* next_buffer = buffer->next();
     DeallocateBuffer(buffer);
     buffer = next_buffer;
   }
   *buffer_address = NULL;
 }
 
 
 } }  // namespace v8::internal