From 6b3f8f472c87b955818c0f2dadd47eae32f8eddb Mon Sep 17 00:00:00 2001 From: Ali Ijaz Sheikh Date: Tue, 14 Jun 2016 22:51:31 -0700 Subject: [PATCH] deps: fix segfault during gc This is part 2/2 of the fixes needed for v8:4871. This fix never landed upstream because the bug is not present in active V8 version. The patch is available from the upstream v8 bug however. The segfault occurs at the intersection of the following three conditions that are dependent on the allocation pattern of an application: A pretenured (1) allocation site has to be optimized into a merged allocation by the allocation folding optimization (2) and there needs to be overflow of the store buffer (3). This patch disables the allocation folding optimization for pretenured allocations. This may have some, hopefully negligible, performance impact on real world applications. Fixes: https://github.com/nodejs/node/issues/5900 --- deps/v8/src/hydrogen-instructions.cc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deps/v8/src/hydrogen-instructions.cc b/deps/v8/src/hydrogen-instructions.cc index bf3c82ecb60e88..0d04ceb1b5262a 100644 --- a/deps/v8/src/hydrogen-instructions.cc +++ b/deps/v8/src/hydrogen-instructions.cc @@ -3693,6 +3693,11 @@ Representation HUnaryMathOperation::RepresentationFromInputs() { bool HAllocate::HandleSideEffectDominator(GVNFlag side_effect, HValue* dominator) { + if (IsOldSpaceAllocation()) { + // Do not fold old space allocations because the store buffer might need + // to iterate old space pages during scavenges on overflow. + return false; + } DCHECK(side_effect == kNewSpacePromotion); Zone* zone = block()->zone(); Isolate* isolate = block()->isolate();