Merge v8 from https://chromium.googlesource.com/v8/v8.git at 887005895a11123fdc0d4c3b2e8e53cc8dd7c27a
This commit was generated by merge_from_chromium.py.
Change-Id: I926f7306905f4f6751fd9d9493e3baaea8f55789
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index 5c8cd45..c4eed9c 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -2038,7 +2038,17 @@
// Order is important: slot might be inside of the target if target
// was allocated over a dead object and slot comes from the store
// buffer.
- *slot = target;
+
+ // Unfortunately, the allocation can also write over the slot if the slot
+ // was in free space and the allocation wrote free list data (such as the
+ // free list map or entry size) over the slot. We guard against this by
+ // checking that the slot still points to the object being moved. This
+ // should be sufficient because neither the free list map nor the free
+ // list entry size should look like a new space pointer (the former is an
+ // old space pointer, the latter is word-aligned).
+ if (*slot == object) {
+ *slot = target;
+ }
MigrateObject(heap, object, target, object_size);
if (object_contents == POINTER_OBJECT) {
diff --git a/src/version.cc b/src/version.cc
index 258d759..0e3a188 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 30
#define BUILD_NUMBER 33
-#define PATCH_LEVEL 7
+#define PATCH_LEVEL 8
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
