HeapCompaction: Fix a Crash bug in Relocate()
This CL fixes a crush bug in Relocate().
It is caused when we relocate backings that were dereferenced in EagerSweep/PreFinalizer/WeapProcessing.
The slots are no longer referenced so we can early return and fix the bug.
Bug: 869301
Change-Id: Id46854267065744f38f9be567b7d286f2175b99f
Reviewed-on: https://chromium-review.googlesource.com/1155329
Commit-Queue: Haruka Matsumura <harukamt@google.com>
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579384}diff --git a/third_party/blink/renderer/platform/heap/heap_compact.cc b/third_party/blink/renderer/platform/heap/heap_compact.cc
index 3c9ab97..d0ab4ad 100644
--- a/third_party/blink/renderer/platform/heap/heap_compact.cc
+++ b/third_party/blink/renderer/platform/heap/heap_compact.cc
@@ -156,7 +156,14 @@
void Relocate(Address from, Address to) {
auto it = fixups_.find(from);
- DCHECK(it != fixups_.end());
+ /// This means that there is no corresponding slot for a live backing store.
+ // This may happen because a mutator may change the slot to point to a
+ // different backing store after an incremental marking traced the slot (and
+ // marked the old backing store as live).
+ // As another case, this may happen becuase we may relocate backings that
+ // were dereferenced in EagerSweep/PreFinalizer/WeapProcessing.
+ if (it == fixups_.end())
+ return;
#if DCHECK_IS_ON()
BasePage* from_page = PageFromObject(from);
DCHECK(relocatable_pages_.Contains(from_page));
