[oilpan] Filter deleted weakcell slots during incremental marking

Slots may be deleted after recording a callback for them. Filter out those slots accordingly during processing. Bug: chromium:757440 Change-Id: I23c17c2f79af41a8539b8d4734ec677fb0b99c0b Reviewed-on: https://chromium-review.googlesource.com/1000865 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#549465}

[oilpan] Filter deleted weakcell slots during incremental marking
Slots may be deleted after recording a callback for them. Filter out those slots accordingly during processing. Bug: chromium:757440 Change-Id: I23c17c2f79af41a8539b8d4734ec677fb0b99c0b Reviewed-on: https://chromium-review.googlesource.com/1000865 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#549465}
2da3fcd0 · Michael Lippautz · Commit Bot · c768dee9 · 2da3fcd0
Commit 2da3fcd0 authored Apr 10, 2018 by Michael Lippautz Committed by Commit Bot Apr 10, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

third_party/blink/renderer/platform/heap/heap.h third_party/blink/renderer/platform/heap/heap.h +4 -1

No files found.
--- a/third_party/blink/renderer/platform/heap/heap.h
+++ b/third_party/blink/renderer/platform/heap/heap.h
@@ -740,7 +740,10 @@ Address ThreadHeap::Reallocate(void* previous, size_t size) {
 template <typename T>
 void Visitor::HandleWeakCell(Visitor* self, void* object) {
  T** cell = reinterpret_cast<T**>(object);
-  if (*cell && !ObjectAliveTrait<T>::IsHeapObjectAlive(*cell))
+  // '-1' means deleted value. This can happen when weak fields are deleted
+  // while incremental marking is running.
+  if (*cell && (*cell == reinterpret_cast<T*>(-1) ||
+                !ObjectAliveTrait<T>::IsHeapObjectAlive(*cell)))
    *cell = nullptr;
 }