From 189b355a76ea5a26fba18e712f4849f0435e856b Mon Sep 17 00:00:00 2001
From: hpayer <hpayer@chromium.org>
Date: Mon, 6 Apr 2015 07:58:06 -0700
Subject: [PATCH] Filter out remembered slots that are at the start of an
 object.

These slots are invalid and can result in a broken offset when slot index and start of object are equal and are at the beginning of a cell.

Moreover, make DCHECKs CHECKs to catch bugs in the wild.

BUG=chromium:473174
LOG=n

Review URL: https://codereview.chromium.org/1051243004

Cr-Commit-Position: refs/heads/master@{#27602}
---
 src/heap/mark-compact.cc | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
index aacefd818a7..be1825f40bf 100644
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -3122,7 +3122,14 @@ bool MarkCompactCollector::IsSlotInBlackObject(Page* p, Address slot,
   unsigned int cell_base_start_index = Bitmap::IndexToCell(
       Bitmap::CellAlignIndex(p->AddressToMarkbitIndex(cell_base)));
 
-  // First check if the object is in the current cell.
+  // Check if the slot points to the start of an object. This can happen e.g.
+  // when we left trim a fixed array. Such slots are invalid and we can remove
+  // them.
+  if ((cells[start_index] & index_in_cell) != 0) {
+    return false;
+  }
+
+  // Check if the object is in the current cell.
   MarkBit::CellType slot_mask;
   if ((cells[start_index] == 0) ||
       (base::bits::CountTrailingZeros32(cells[start_index]) >
@@ -3144,23 +3151,26 @@ bool MarkCompactCollector::IsSlotInBlackObject(Page* p, Address slot,
     // The object is in a preceding cell. Set the mask to find any object.
     slot_mask = 0xffffffff;
   } else {
+    // The object start is before the the slot index. Hence, in this case the
+    // slot index can not be at the beginning of the cell.
+    CHECK(index_in_cell > 1);
     // We are interested in object mark bits right before the slot.
     slot_mask = index_in_cell - 1;
   }
 
   MarkBit::CellType current_cell = cells[start_index];
-  DCHECK(current_cell != 0);
+  CHECK(current_cell != 0);
 
   // Find the last live object in the cell.
   unsigned int leading_zeros =
       base::bits::CountLeadingZeros32(current_cell & slot_mask);
-  DCHECK(leading_zeros != 32);
+  CHECK(leading_zeros != 32);
   unsigned int offset = Bitmap::kBitIndexMask - leading_zeros;
 
   cell_base += (start_index - cell_base_start_index) * 32 * kPointerSize;
   Address address = cell_base + offset * kPointerSize;
   HeapObject* object = HeapObject::FromAddress(address);
-  DCHECK(object->address() < reinterpret_cast<Address>(slot));
+  CHECK(object->address() < reinterpret_cast<Address>(slot));
   if (object->address() <= slot &&
       (object->address() + object->Size()) > slot) {
     // If the slot is within the last found object in the cell, the slot is