[heap] Fix black allocation.

This patch ensures that an object returned by AllocateRaw is marked
black if black allocation starts during the object allocation.

This fixes the following issue:
1) Generated code requests allocation of size N for folded allocation.
2) Runtime gets a free list node at address A of size N+M and sets up
   a linear allocation area with top = A+N and limit = A+N+M.
3) Runtime invokes the allocation observer that starts incremental marking
   and start black allocation. The area [A+N, A+N+M) is marked black.
4) Runtime returns a white object at address A as the allocation result.
5) Generated code moves the top pointer to A and does bump pointer
   allocations of white objects from A to A+N+M.
6) Object allocated new A+N can have the impossible marbit pattern.

Bug: chromium:694255
Change-Id: I09ceebc97a510fa5fe4ff20706bc46a99f8b7cf4
Reviewed-on: https://chromium-review.googlesource.com/638338
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48005}
5 files changed
tree: 2e2ad88f565e786586f21c7cb0981bd0005c9cc1
  1. .clang-format
  2. .editorconfig
  3. .gitignore
  4. .gn
  5. .ycm_extra_conf.py
  7. BUILD.gn
  9. ChangeLog
  10. DEPS
  12. LICENSE.fdlibm
  13. LICENSE.strongtalk
  14. LICENSE.v8
  15. LICENSE.valgrind
  16. Makefile
  17. Makefile.android
  18. OWNERS
  19. PRESUBMIT.py
  20. README.md
  22. benchmarks/
  23. build_overrides/
  24. codereview.settings
  25. docs/
  26. gni/
  27. gypfiles/
  28. include/
  29. infra/
  30. samples/
  31. snapshot_toolchain.gni
  32. src/
  33. test/
  34. testing/
  35. third_party/
  36. tools/

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*


Please follow the instructions mentioned on the V8 wiki.