Reland "Fix invalidation of old-to-old slots after object trimming."

This reverts commit 5b434929a34f846f0002857765a3f505e0a2d736.

Changes after the original CL:
- Right-trimming registers the array as an object with invalidated
- Left-trimming moves the array start in the invalidated slots map.

Original change's description:
> Fix invalidation of old-to-old slots after object trimming.
> A recorded old-to-old slot may be overwritten with a pointer to a new
> space object. If the object containing the slot is trimmed later on,
> then the mark-compactor may crash on a stale pointer to new space.
> This patch ensures that:
> 1) On trimming of an object we add it to the invalidated_slots sets.
> 2) The InvalidatedSlotsFilter::IsValid returns false for slots outside
>    the invalidated object unless the page was already swept.
> Array left-trimming is handled as a special case because object start
> moves and cannot be added to the invalidated set. Instead, we clear
> the freed memory so that the recorded slots contain Smi values.
> Bug: chromium:870226,chromium:816426
> Change-Id: Iffc05a58fcf52ece45fdb085b5d1fd4b3acb5d53
> Reviewed-on:
> Commit-Queue: Ulan Degenbaev <>
> Reviewed-by: Hannes Payer <>
> Reviewed-by: Michael Lippautz <>
> Cr-Commit-Position: refs/heads/master@{#54953}

Change-Id: I1f1080f680196c581f62aef8d3a00a595f9bb9b0
Commit-Queue: Ulan Degenbaev <>
Reviewed-by: Michael Lippautz <>
Reviewed-by: Hannes Payer <>
Cr-Commit-Position: refs/heads/master@{#55066}
10 files changed
tree: 6805dbf98a496e3cac23f6d19b629581f6140d2f
  1. .clang-format
  2. .editorconfig
  3. .git-blame-ignore-revs
  4. .gitattributes
  5. .gitignore
  6. .gn
  7. .vpython
  12. ChangeLog
  13. DEPS
  15. LICENSE.fdlibm
  16. LICENSE.strongtalk
  17. LICENSE.v8
  18. LICENSE.valgrind
  19. OWNERS
  23. benchmarks/
  24. build_overrides/
  25. codereview.settings
  26. custom_deps/
  27. docs/
  28. gni/
  29. include/
  30. infra/
  31. samples/
  32. snapshot_toolchain.gni
  33. src/
  34. test/
  35. testing/
  36. third_party/
  37. tools/

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page:

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*


Please follow the instructions mentioned on the V8 wiki.