Version 3.28.71.15 (merged r23824)

Remove guard page mechanism from promotion queue.

BUG=chromium:411210
LOG=N
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/617493005

git-svn-id: https://v8.googlecode.com/svn/branches/3.28@24300 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
diff --git a/src/heap/heap-inl.h b/src/heap/heap-inl.h
index adb6e25..3b6a803 100644
--- a/src/heap/heap-inl.h
+++ b/src/heap/heap-inl.h
@@ -31,18 +31,12 @@
         NewSpacePage::FromAddress(reinterpret_cast<Address>(rear_));
     DCHECK(!rear_page->prev_page()->is_anchor());
     rear_ = reinterpret_cast<intptr_t*>(rear_page->prev_page()->area_end());
-    ActivateGuardIfOnTheSamePage();
   }
 
-  if (guard_) {
-    DCHECK(GetHeadPage() ==
-           Page::FromAllocationTop(reinterpret_cast<Address>(limit_)));
-
-    if ((rear_ - 2) < limit_) {
-      RelocateQueueHead();
-      emergency_stack_->Add(Entry(target, size));
-      return;
-    }
+  if ((rear_ - 2) < limit_) {
+    RelocateQueueHead();
+    emergency_stack_->Add(Entry(target, size));
+    return;
   }
 
   *(--rear_) = reinterpret_cast<intptr_t>(target);
@@ -55,13 +49,6 @@
 }
 
 
-void PromotionQueue::ActivateGuardIfOnTheSamePage() {
-  guard_ = guard_ ||
-           heap_->new_space()->active_space()->current_page()->address() ==
-               GetHeadPage()->address();
-}
-
-
 template <>
 bool inline Heap::IsOneByte(Vector<const char> str, int chars) {
   // TODO(dcarney): incorporate Latin-1 check when Latin-1 is supported?
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index fa94181..3208c35 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -1373,7 +1373,6 @@
   front_ = rear_ =
       reinterpret_cast<intptr_t*>(heap_->new_space()->ToSpaceEnd());
   emergency_stack_ = NULL;
-  guard_ = false;
 }
 
 
@@ -1971,15 +1970,16 @@
 
     HeapObject* target = NULL;  // Initialization to please compiler.
     if (allocation.To(&target)) {
+      // Order is important here: Set the promotion limit before storing a
+      // filler for double alignment or migrating the object. Otherwise we
+      // may end up overwriting promotion queue entries when we migrate the
+      // object.
+      heap->promotion_queue()->SetNewLimit(heap->new_space()->top());
+
       if (alignment != kObjectAlignment) {
         target = EnsureDoubleAligned(heap, target, allocation_size);
       }
 
-      // Order is important here: Set the promotion limit before migrating
-      // the object. Otherwise we may end up overwriting promotion queue
-      // entries when we migrate the object.
-      heap->promotion_queue()->SetNewLimit(heap->new_space()->top());
-
       // Order is important: slot might be inside of the target if target
       // was allocated over a dead object and slot comes from the store
       // buffer.
diff --git a/src/heap/heap.h b/src/heap/heap.h
index c313333..b21951c 100644
--- a/src/heap/heap.h
+++ b/src/heap/heap.h
@@ -393,18 +393,11 @@
     emergency_stack_ = NULL;
   }
 
-  inline void ActivateGuardIfOnTheSamePage();
-
   Page* GetHeadPage() {
     return Page::FromAllocationTop(reinterpret_cast<Address>(rear_));
   }
 
   void SetNewLimit(Address limit) {
-    if (!guard_) {
-      return;
-    }
-
-    DCHECK(GetHeadPage() == Page::FromAllocationTop(limit));
     limit_ = reinterpret_cast<intptr_t*>(limit);
 
     if (limit_ <= rear_) {
@@ -461,8 +454,6 @@
   intptr_t* rear_;
   intptr_t* limit_;
 
-  bool guard_;
-
   static const int kEntrySizeInWords = 2;
 
   struct Entry {
diff --git a/src/heap/spaces.cc b/src/heap/spaces.cc
index 92f3f7f..e197f5a 100644
--- a/src/heap/spaces.cc
+++ b/src/heap/spaces.cc
@@ -1367,7 +1367,6 @@
   Address limit = NewSpacePage::FromLimit(top)->area_end();
   if (heap()->gc_state() == Heap::SCAVENGE) {
     heap()->promotion_queue()->SetNewLimit(limit);
-    heap()->promotion_queue()->ActivateGuardIfOnTheSamePage();
   }
 
   int remaining_in_page = static_cast<int>(limit - top);
diff --git a/src/version.cc b/src/version.cc
index 96b93ac..e1dc570 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     28
 #define BUILD_NUMBER      71
-#define PATCH_LEVEL 14
+#define PATCH_LEVEL 15
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0
diff --git a/test/mjsunit/regress/regress-411210.js b/test/mjsunit/regress/regress-411210.js
new file mode 100644
index 0000000..2dbc5ff
--- /dev/null
+++ b/test/mjsunit/regress/regress-411210.js
@@ -0,0 +1,22 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --gc-interval=439 --random-seed=-423594851
+
+var __v_3;
+function __f_2() {
+  var __v_1 = new Array(3);
+  __v_1[0] = 10;
+  __v_1[1] = 15.5;
+  __v_3 = __f_2();
+  __v_1[2] = 20;
+  return __v_1;
+}
+
+try {
+  for (var __v_2 = 0; __v_2 < 3; ++__v_2) {
+    __v_3 = __f_2();
+  }
+}
+catch (e) { }