From 8bd3d83e01648eb671fb3f2f2b9ed4b7e67dc929 Mon Sep 17 00:00:00 2001
From: Myles Borins <myles.borins@gmail.com>
Date: Mon, 20 Jun 2016 07:29:54 -0700
Subject: [PATCH] deps: backport d800a65 from V8 upstream

This backport does not include the original changes to SLOW_DCHECK
as it does not exist in the V8 in node v4.x

Original commit message:
  Filter out stale left-trimmed handles

  BUG=chromium:620553
  LOG=N
  R=jochen@chromium.org

  Review-Url: https://codereview.chromium.org/2078403002
  Cr-Commit-Position: refs/heads/master@{#37108}

PR-URL: https://github.com/nodejs/node/pull/10668
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
---
 deps/v8/src/heap/mark-compact.cc              | 28 ++++++++++++++++++-
 .../v8/test/mjsunit/regress/regress-620553.js | 17 +++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-620553.js

diff --git a/deps/v8/src/heap/mark-compact.cc b/deps/v8/src/heap/mark-compact.cc
index dcc2fb943046d6..e39ff83e9f381e 100644
--- a/deps/v8/src/heap/mark-compact.cc
+++ b/deps/v8/src/heap/mark-compact.cc
@@ -1648,8 +1648,34 @@ class RootMarkingVisitor : public ObjectVisitor {
   void MarkObjectByPointer(Object** p) {
     if (!(*p)->IsHeapObject()) return;
 
-    // Replace flat cons strings in place.
     HeapObject* object = ShortCircuitConsString(p);
+
+    // We cannot avoid stale handles to left-trimmed objects, but can only make
+    // sure all handles still needed are updated. Filter out any stale pointers
+    // and clear the slot to allow post processing of handles (needed because
+    // the sweeper might actually free the underlying page).
+    if (object->IsFiller()) {
+#ifdef DEBUG
+      // We need to find a FixedArrayBase map after walking the fillers.
+      Heap* heap = collector_->heap();
+      HeapObject* current = object;
+      while (current->IsFiller()) {
+        Address next = reinterpret_cast<Address>(current);
+        if (current->map() == heap->one_pointer_filler_map()) {
+          next += kPointerSize;
+        } else if (current->map() == heap->two_pointer_filler_map()) {
+          next += 2 * kPointerSize;
+        } else {
+          next += current->Size();
+        }
+        current = reinterpret_cast<HeapObject*>(next);
+      }
+      DCHECK(current->IsFixedArrayBase());
+#endif  // DEBUG
+      *p = nullptr;
+      return;
+    }
+
     MarkBit mark_bit = Marking::MarkBitFrom(object);
     if (Marking::IsBlackOrGrey(mark_bit)) return;
 
diff --git a/deps/v8/test/mjsunit/regress/regress-620553.js b/deps/v8/test/mjsunit/regress/regress-620553.js
new file mode 100644
index 00000000000000..461b9bb189e559
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-620553.js
@@ -0,0 +1,17 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+var o0 = [];
+var o1 = [];
+var cnt = 0;
+o1.__defineGetter__(0, function() {
+  if (cnt++ > 2) return;
+  o0.shift();
+  gc();
+  o0.push(0);
+  o0.concat(o1);
+});
+o1[0];