v8
diff --git a/‎BUILD.bazel‎
Lines changed: 3 additions & 0 deletions b/‎BUILD.bazel‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎BUILD.gn‎
Lines changed: 3 additions & 8 deletions b/‎BUILD.gn‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎src/execution/frames.cc‎
Lines changed: 14 additions & 9 deletions b/‎src/execution/frames.cc‎
Lines changed: 14 additions & 9 deletions
diff --git a/‎src/flags/flag-definitions.h‎
Lines changed: 10 additions & 0 deletions b/‎src/flags/flag-definitions.h‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/heap/conservative-stack-visitor.cc‎
Lines changed: 48 additions & 29 deletions b/‎src/heap/conservative-stack-visitor.cc‎
Lines changed: 48 additions & 29 deletions
diff --git a/‎src/heap/conservative-stack-visitor.h‎
Lines changed: 2 additions & 4 deletions b/‎src/heap/conservative-stack-visitor.h‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎src/heap/gc-tracer.cc‎
Lines changed: 4 additions & 0 deletions b/‎src/heap/gc-tracer.cc‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/heap/heap-layout.cc‎
Lines changed: 13 additions & 0 deletions b/‎src/heap/heap-layout.cc‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎src/heap/heap-layout.h‎
Lines changed: 6 additions & 0 deletions b/‎src/heap/heap-layout.h‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/heap/heap-verifier.cc‎
Lines changed: 2 additions & 1 deletion b/‎src/heap/heap-verifier.cc‎
Lines changed: 2 additions & 1 deletion
@@ -1635,6 +1635,8 @@ filegroup(
         "src/heap/combined-heap.h",
         "src/heap/concurrent-marking.cc",
         "src/heap/concurrent-marking.h",
+        "src/heap/conservative-stack-visitor.cc",
+        "src/heap/conservative-stack-visitor.h",
         "src/heap/cppgc-js/cpp-heap.cc",
         "src/heap/cppgc-js/cpp-heap.h",
         "src/heap/cppgc-js/cpp-marking-state.h",
@@ -1936,6 +1938,7 @@ filegroup(
         "src/objects/call-site-info.h",
         "src/objects/call-site-info-inl.h",
         "src/objects/casting.h",
+        "src/objects/casting-inl.h",
         "src/objects/cell.h",
         "src/objects/cell-inl.h",
         "src/objects/code.cc",
 
@@ -1894,6 +1894,7 @@ if (v8_postmortem_support) {
       "src/objects/instruction-stream.h",
       "src/objects/instruction-stream-inl.h",
       "src/objects/casting.h",
+      "src/objects/casting-inl.h",
       "src/objects/code.h",
       "src/objects/code-inl.h",
       "src/objects/data-handler.h",
@@ -3789,6 +3790,7 @@ v8_header_set("v8_internal_headers") {
     "src/heap/collection-barrier.h",
     "src/heap/combined-heap.h",
     "src/heap/concurrent-marking.h",
+    "src/heap/conservative-stack-visitor.h",
     "src/heap/cppgc-js/cpp-heap.h",
     "src/heap/cppgc-js/cpp-marking-state-inl.h",
     "src/heap/cppgc-js/cpp-marking-state.h",
@@ -4609,10 +4611,6 @@ v8_header_set("v8_internal_headers") {
     sources += [ "src/execution/pointer-authentication-dummy.h" ]
   }
 
-  if (v8_enable_conservative_stack_scanning) {
-    sources += [ "src/heap/conservative-stack-visitor.h" ]
-  }
-
   if (v8_enable_wasm_gdb_remote_debugging) {
     sources += [
       "src/debug/wasm/gdb-server/gdb-remote-util.h",
@@ -5538,6 +5536,7 @@ v8_source_set("v8_base_without_compiler") {
     "src/heap/collection-barrier.cc",
     "src/heap/combined-heap.cc",
     "src/heap/concurrent-marking.cc",
+    "src/heap/conservative-stack-visitor.cc",
     "src/heap/cppgc-js/cpp-heap.cc",
     "src/heap/cppgc-js/cpp-snapshot.cc",
     "src/heap/cppgc-js/cross-heap-remembered-set.cc",
@@ -5999,10 +5998,6 @@ v8_source_set("v8_base_without_compiler") {
     }
   }
 
-  if (v8_enable_conservative_stack_scanning) {
-    sources += [ "src/heap/conservative-stack-visitor.cc" ]
-  }
-
   if (v8_enable_wasm_gdb_remote_debugging) {
     sources += [
       "src/debug/wasm/gdb-server/gdb-remote-util.cc",
 
@@ -26,7 +26,9 @@
 #include "src/execution/vm-state-inl.h"
 #include "src/ic/ic-stats.h"
 #include "src/logging/counters.h"
+#include "src/objects/casting-inl.h"
 #include "src/objects/code.h"
+#include "src/objects/instance-type-checker.h"
 #include "src/objects/slots.h"
 #include "src/objects/smi.h"
 #include "src/objects/visitors.h"
@@ -88,10 +90,11 @@ class StackHandlerIterator {
     // For CWasmEntry frames, the handler was registered by the last C++
     // frame (Execution::CallWasm), so even though its address is already
     // beyond the limit, we know we always want to unwind one handler.
-    if (frame->is_c_wasm_entry()) handler_ = handler_->next();
+    if (frame->is_c_wasm_entry()) {
+      handler_ = handler_->next();
 #if V8_ENABLE_DRUMBRAKE
     // Do the same for GenericWasmToJsInterpreterWrapper frames.
-    else if (v8_flags.wasm_jitless && frame->is_wasm_to_js()) {
+    } else if (v8_flags.wasm_jitless && frame->is_wasm_to_js()) {
       handler_ = handler_->next();
 #ifdef USE_SIMULATOR
       // If we are running in the simulator, the handler_ address here will
@@ -100,8 +103,8 @@ class StackHandlerIterator {
       // any handler.
       limit_ = 0;
 #endif  // USE_SIMULATOR
-    }
 #endif  // V8_ENABLE_DRUMBRAKE
+    }
 #else
     // Make sure the handler has already been unwound to this frame.
     DCHECK_LE(frame->sp(), AddressOf(handler));
@@ -189,7 +192,8 @@ void StackFrameIterator::Advance() {
     // does not have a caller fp.
     auto parent = continuation()->parent();
     CHECK(!IsUndefined(parent));
-    set_continuation(Cast<WasmContinuationObject>(parent));
+    set_continuation(
+        GCSafeCast<WasmContinuationObject>(parent, isolate_->heap()));
     wasm_stack_ = reinterpret_cast<wasm::StackMemory*>(continuation()->stack());
     CHECK_EQ(wasm_stack_->jmpbuf()->state, wasm::JumpBuffer::Inactive);
     StackSwitchFrame::GetStateForJumpBuffer(wasm_stack_->jmpbuf(), &state);
@@ -282,7 +286,8 @@ void StackFrameIterator::Reset(ThreadLocalTop* top) {
 #if V8_ENABLE_WEBASSEMBLY
   auto active_continuation = isolate_->root(RootIndex::kActiveContinuation);
   if (!IsUndefined(active_continuation, isolate_)) {
-    auto continuation = Cast<WasmContinuationObject>(active_continuation);
+    auto continuation = GCSafeCast<WasmContinuationObject>(active_continuation,
+                                                           isolate_->heap());
     if (!first_stack_only_) {
       set_continuation(continuation);
     }
@@ -839,7 +844,7 @@ void StackFrame::IteratePc(RootVisitor* v, Address* constant_pool_address,
   DCHECK(!isolate()->InFastCCall());
 
   Tagged<InstructionStream> istream =
-      UncheckedCast<InstructionStream>(visited_istream);
+      GCSafeCast<InstructionStream>(visited_istream, isolate()->heap());
   const Address new_pc = istream->instruction_start() + pc_offset_from_start;
   // TODO(v8:10026): avoid replacing a signed pointer.
   PointerAuthentication::ReplacePC(pc_address(), new_pc, kSystemPointerSize);
@@ -1590,13 +1595,13 @@ void VisitSpillSlot(Isolate* isolate, RootVisitor* v,
                                            ? map_word.ToForwardingAddress(raw)
                                            : raw;
         bool is_self_forwarded =
-            forwarded->map_word(cage_base, kRelaxedLoad) ==
-            MapWord::FromForwardingAddress(forwarded, forwarded);
+            HeapLayout::IsSelfForwarded(forwarded, cage_base);
         if (is_self_forwarded) {
           // The object might be in a self-forwarding state if it's located
           // in new large object space. GC will fix this at a later stage.
           CHECK(
-              MemoryChunk::FromHeapObject(forwarded)->InNewLargeObjectSpace());
+              MemoryChunk::FromHeapObject(forwarded)->InNewLargeObjectSpace() ||
+              MemoryChunk::FromHeapObject(forwarded)->IsQuarantined());
         } else {
           Tagged<HeapObject> forwarded_map = forwarded->map(cage_base);
           // The map might be forwarded as well.
 
@@ -475,6 +475,16 @@ DEFINE_BOOL_READONLY(direct_handle, V8_ENABLE_DIRECT_HANDLE_BOOL,
 // break the correctness of the GC.
 DEFINE_NEG_NEG_IMPLICATION(conservative_stack_scanning, direct_handle)
 
+DEFINE_EXPERIMENTAL_FEATURE(scavenger_pinning_objects,
+                            "Objects reachable from the native stack during "
+                            "scavenge will be pinned and "
+                            "won't move.")
+DEFINE_IMPLICATION(scavenger_pinning_objects, separate_gc_phases)
+DEFINE_BOOL(stress_scavenger_pinning_objects, false,
+            "Treat some precise refernces as conservative references to stress "
+            "test object pinning in Scavenger")
+DEFINE_IMPLICATION(stress_scavenger_pinning_objects, scavenger_pinning_objects)
+
 #ifdef V8_ENABLE_LOCAL_OFF_STACK_CHECK
 #define V8_ENABLE_LOCAL_OFF_STACK_CHECK_BOOL true
 #else
 
@@ -4,7 +4,9 @@
 
 #include "src/heap/conservative-stack-visitor.h"
 
+#include "src/common/globals.h"
 #include "src/execution/isolate-inl.h"
+#include "src/heap/heap-layout.h"
 #include "src/heap/marking-inl.h"
 #include "src/heap/memory-chunk-metadata.h"
 #include "src/heap/memory-chunk.h"
@@ -17,10 +19,6 @@
 namespace v8 {
 namespace internal {
 
-ConservativeStackVisitor::ConservativeStackVisitor(Isolate* isolate,
-                                                   RootVisitor* delegate)
-    : ConservativeStackVisitor(isolate, delegate, delegate->collector()) {}
-
 ConservativeStackVisitor::ConservativeStackVisitor(Isolate* isolate,
                                                    RootVisitor* delegate,
                                                    GarbageCollector collector)
@@ -40,12 +38,18 @@ ConservativeStackVisitor::ConservativeStackVisitor(Isolate* isolate,
 #ifdef V8_COMPRESS_POINTERS
 bool ConservativeStackVisitor::IsInterestingCage(
     PtrComprCageBase cage_base) const {
-  if (cage_base == cage_base_) return true;
+  if (cage_base == cage_base_) {
+    return true;
+  }
 #ifdef V8_EXTERNAL_CODE_SPACE
-  if (cage_base == code_cage_base_) return true;
+  if (cage_base == code_cage_base_) {
+    return true;
+  }
 #endif
 #ifdef V8_ENABLE_SANDBOX
-  if (cage_base == trusted_cage_base_) return true;
+  if (cage_base == trusted_cage_base_) {
+    return true;
+  }
 #endif
   return false;
 }
@@ -60,9 +64,35 @@ Address ConservativeStackVisitor::FindBasePtr(
   // heap. Bail out if it is not.
   const MemoryChunk* chunk =
       allocator_->LookupChunkContainingAddress(maybe_inner_ptr);
-  if (chunk == nullptr) return kNullAddress;
+  if (chunk == nullptr) {
+    return kNullAddress;
+  }
   const MemoryChunkMetadata* chunk_metadata = chunk->Metadata();
   DCHECK(chunk_metadata->Contains(maybe_inner_ptr));
+
+  // If it is not in the young generation and we're only interested in young
+  // generation pointers, we must ignore it.
+  if (Heap::IsYoungGenerationCollector(collector_)) {
+    const bool is_old = v8_flags.sticky_mark_bits
+                            ? chunk->IsFlagSet(MemoryChunk::CONTAINS_ONLY_OLD)
+                            : !chunk->InYoungGeneration();
+    if (is_old) return kNullAddress;
+
+    // Scavenger already swapped the semi spaces, so all real objects should
+    // be found in to space.
+    if (collector_ == GarbageCollector::SCAVENGER ? chunk->IsToPage()
+                                                  : chunk->IsFromPage()) {
+      return kNullAddress;
+    }
+  } else {
+    // If it is in the young generation "from" semispace, it is not used and
+    // we must ignore it, as its markbits may not be clean.
+    if (chunk->IsFromPage()) {
+      DCHECK(!v8_flags.sticky_mark_bits);
+      return kNullAddress;
+    }
+  }
+
   // If it is contained in a large page, we want to mark the only object on it.
   if (chunk->IsLargePage()) {
     // This could be simplified if we could guarantee that there are no free
@@ -71,25 +101,12 @@ Address ConservativeStackVisitor::FindBasePtr(
         static_cast<const LargePageMetadata*>(chunk_metadata)->GetObject());
     return IsFreeSpaceOrFiller(obj, cage_base) ? kNullAddress : obj.address();
   }
+
   // Otherwise, we have a pointer inside a normal page.
   const PageMetadata* page = static_cast<const PageMetadata*>(chunk_metadata);
-  // If it is not in the young generation and we're only interested in young
-  // generation pointers, we must ignore it.
-  if (v8_flags.sticky_mark_bits) {
-    if (Heap::IsYoungGenerationCollector(collector_) &&
-        chunk->IsFlagSet(MemoryChunk::CONTAINS_ONLY_OLD))
-      return kNullAddress;
-  } else {
-    if (Heap::IsYoungGenerationCollector(collector_) &&
-        !chunk->InYoungGeneration())
-      return kNullAddress;
-
-    // If it is in the young generation "from" semispace, it is not used and we
-    // must ignore it, as its markbits may not be clean.
-    if (chunk->IsFromPage()) return kNullAddress;
-  }
-
   // Try to find the address of a previous valid object on this page.
+  // TODO(379788114): Create a temporary bitmap for repeated visits to the same
+  // page during CSS from Scavenger.
   Address base_ptr =
       MarkingBitmap::FindPreviousValidObject(page, maybe_inner_ptr);
   // Iterate through the objects in the page forwards, until we find the object
@@ -99,8 +116,9 @@ Address ConservativeStackVisitor::FindBasePtr(
     Tagged<HeapObject> obj(HeapObject::FromAddress(base_ptr));
     const int size = obj->Size(cage_base);
     DCHECK_LT(0, size);
-    if (maybe_inner_ptr < base_ptr + size)
+    if (maybe_inner_ptr < base_ptr + size) {
       return IsFreeSpaceOrFiller(obj, cage_base) ? kNullAddress : base_ptr;
+    }
     base_ptr += size;
     DCHECK_LT(base_ptr, page->area_end());
   }
@@ -135,12 +153,11 @@ void ConservativeStackVisitor::VisitConservativelyIfPointer(Address address) {
   if (V8HeapCompressionScheme::GetPtrComprCageBaseAddress(address) ==
       cage_base_.address()) {
     VisitConservativelyIfPointer(address, cage_base_);
-  }
 #ifdef V8_EXTERNAL_CODE_SPACE
-  else if (code_address_region_.contains(address)) {
+  } else if (code_address_region_.contains(address)) {
     VisitConservativelyIfPointer(address, code_cage_base_);
-  }
 #endif  // V8_EXTERNAL_CODE_SPACE
+  }
 #else   // !V8_COMPRESS_POINTERS
   VisitConservativelyIfPointer(address, cage_base_);
 #endif  // V8_COMPRESS_POINTERS
@@ -156,7 +173,9 @@ void ConservativeStackVisitor::VisitConservativelyIfPointer(
   }
   // Proceed with inner-pointer resolution.
   Address base_ptr = FindBasePtr(address, cage_base);
-  if (base_ptr == kNullAddress) return;
+  if (base_ptr == kNullAddress) {
+    return;
+  }
   Tagged<HeapObject> obj = HeapObject::FromAddress(base_ptr);
   Tagged<Object> root = obj;
   DCHECK_NOT_NULL(delegate_);
 
@@ -19,7 +19,8 @@ class RootVisitor;
 class V8_EXPORT_PRIVATE ConservativeStackVisitor
     : public ::heap::base::StackVisitor {
  public:
-  ConservativeStackVisitor(Isolate* isolate, RootVisitor* delegate);
+  ConservativeStackVisitor(Isolate* isolate, RootVisitor* delegate,
+                           GarbageCollector collector);
 
   void VisitPointer(const void* pointer) final;
 
@@ -39,9 +40,6 @@ class V8_EXPORT_PRIVATE ConservativeStackVisitor
   }
 
  private:
-  ConservativeStackVisitor(Isolate* isolate, RootVisitor* delegate,
-                           GarbageCollector collector);
-
   void VisitConservativelyIfPointer(Address address);
   void VisitConservativelyIfPointer(Address address,
                                     PtrComprCageBase cage_base);
 
@@ -859,6 +859,8 @@ void GCTracer::PrintNVP() const {
           "holes_size_after=%zu "
           "allocated=%zu "
           "promoted=%zu "
+          "quarantined_size=%zu "
+          "quarantined_pages=%zu "
           "new_space_survived=%zu "
           "nodes_died_in_new=%d "
           "nodes_copied_in_new=%d "
@@ -897,6 +899,8 @@ void GCTracer::PrintNVP() const {
           current_.start_object_size, current_.end_object_size,
           current_.start_holes_size, current_.end_holes_size,
           allocated_since_last_gc, heap_->promoted_objects_size(),
+          heap_->semi_space_new_space()->QuarantinedSize(),
+          heap_->semi_space_new_space()->QuarantinedPageCount(),
           heap_->new_space_surviving_object_size(),
           heap_->nodes_died_in_new_space_, heap_->nodes_copied_in_new_space_,
           heap_->nodes_promoted_, heap_->promotion_ratio_,
 
@@ -5,6 +5,7 @@
 #include "src/heap/heap-layout-inl.h"
 #include "src/heap/marking-inl.h"
 #include "src/heap/memory-chunk.h"
+#include "src/objects/objects-inl.h"
 
 namespace v8::internal {
 
@@ -37,4 +38,16 @@ void HeapLayout::CheckYoungGenerationConsistency(const MemoryChunk* chunk) {
 #endif  // DEBUG
 }
 
+// static
+bool HeapLayout::IsSelfForwarded(Tagged<HeapObject> object) {
+  return IsSelfForwarded(object, GetPtrComprCageBase(object));
+}
+
+// static
+bool HeapLayout::IsSelfForwarded(Tagged<HeapObject> object,
+                                 PtrComprCageBase cage_base) {
+  return object->map_word(cage_base, kRelaxedLoad) ==
+         MapWord::FromForwardingAddress(object, object);
+}
+
 }  // namespace v8::internal
@@ -54,6 +54,12 @@ class HeapLayout final : public AllStatic {
   // serialization.
   static V8_INLINE bool IsOwnedByAnyHeap(Tagged<HeapObject> object);
 
+  // Returns whether the map word of `object` is a self forwarding address.
+  // This represents pinned objects and live large objects in Scavenger.
+  static bool IsSelfForwarded(Tagged<HeapObject> object);
+  static bool IsSelfForwarded(Tagged<HeapObject> object,
+                              PtrComprCageBase cage_base);
+
  private:
   V8_EXPORT static bool InYoungGenerationForStickyMarkbits(
       const MemoryChunk* chunk, Tagged<HeapObject> object);
 
@@ -412,6 +412,7 @@ void HeapVerification::VerifyPage(const MemoryChunkMetadata* chunk_metadata) {
   CHECK(!current_chunk_.has_value());
   CHECK(!chunk->IsFlagSet(MemoryChunk::PAGE_NEW_OLD_PROMOTION));
   CHECK(!chunk->IsFlagSet(MemoryChunk::FROM_PAGE));
+  CHECK(!chunk->IsQuarantined());
   if (chunk->InReadOnlySpace()) {
     CHECK_NULL(chunk_metadata->owner());
   } else {
@@ -629,7 +630,7 @@ class OldToNewSlotVerifyingVisitor : public SlotVerifyingVisitor {
     Tagged<Object> k = *key;
     if (!HeapLayout::InYoungGeneration(host) &&
         HeapLayout::InYoungGeneration(k)) {
-      Tagged<EphemeronHashTable> table = Cast<EphemeronHashTable>(host);
+      Tagged<EphemeronHashTable> table = i::Cast<EphemeronHashTable>(host);
       auto it = ephemeron_remembered_set_->find(table);
       CHECK(it != ephemeron_remembered_set_->end());
       int slot_index =