RubyGems - libv8 - Versions diffs - 3.10.8.0 → 3.11.8.0 - Mend

libv8 3.10.8.0 → 3.11.8.0

Files changed (215) hide show

data/Rakefile +10 -3
data/ext/libv8/compiler.rb +46 -0
data/ext/libv8/extconf.rb +5 -1
data/ext/libv8/make.rb +13 -0
data/lib/libv8/version.rb +1 -1
data/patches/add-freebsd9-and-freebsd10-to-gyp-GetFlavor.patch +11 -0
data/patches/src_platform-freebsd.cc.patch +10 -0
data/vendor/v8/ChangeLog +124 -0
data/vendor/v8/DEPS +27 -0
data/vendor/v8/Makefile +7 -0
data/vendor/v8/SConstruct +15 -2
data/vendor/v8/build/common.gypi +129 -157
data/vendor/v8/build/gyp_v8 +11 -25
data/vendor/v8/build/standalone.gypi +9 -3
data/vendor/v8/include/v8.h +5 -3
data/vendor/v8/src/SConscript +1 -0
data/vendor/v8/src/api.cc +4 -33
data/vendor/v8/src/api.h +2 -2
data/vendor/v8/src/arm/builtins-arm.cc +5 -4
data/vendor/v8/src/arm/code-stubs-arm.cc +21 -14
data/vendor/v8/src/arm/codegen-arm.cc +2 -2
data/vendor/v8/src/arm/debug-arm.cc +3 -1
data/vendor/v8/src/arm/full-codegen-arm.cc +3 -102
data/vendor/v8/src/arm/ic-arm.cc +30 -33
data/vendor/v8/src/arm/lithium-arm.cc +20 -7
data/vendor/v8/src/arm/lithium-arm.h +10 -4
data/vendor/v8/src/arm/lithium-codegen-arm.cc +106 -60
data/vendor/v8/src/arm/macro-assembler-arm.cc +49 -39
data/vendor/v8/src/arm/macro-assembler-arm.h +5 -4
data/vendor/v8/src/arm/regexp-macro-assembler-arm.cc +115 -55
data/vendor/v8/src/arm/regexp-macro-assembler-arm.h +7 -6
data/vendor/v8/src/arm/simulator-arm.h +6 -6
data/vendor/v8/src/arm/stub-cache-arm.cc +64 -19
data/vendor/v8/src/array.js +7 -3
data/vendor/v8/src/ast.cc +11 -6
data/vendor/v8/src/bootstrapper.cc +9 -11
data/vendor/v8/src/builtins.cc +61 -31
data/vendor/v8/src/code-stubs.cc +23 -9
data/vendor/v8/src/code-stubs.h +1 -0
data/vendor/v8/src/codegen.h +3 -3
data/vendor/v8/src/compiler.cc +1 -1
data/vendor/v8/src/contexts.h +2 -18
data/vendor/v8/src/d8.cc +94 -93
data/vendor/v8/src/d8.h +1 -1
data/vendor/v8/src/debug-agent.cc +3 -3
data/vendor/v8/src/debug.cc +41 -1
data/vendor/v8/src/debug.h +50 -0
data/vendor/v8/src/elements-kind.cc +134 -0
data/vendor/v8/src/elements-kind.h +210 -0
data/vendor/v8/src/elements.cc +356 -190
data/vendor/v8/src/elements.h +36 -28
data/vendor/v8/src/factory.cc +44 -4
data/vendor/v8/src/factory.h +11 -7
data/vendor/v8/src/flag-definitions.h +3 -0
data/vendor/v8/src/frames.h +3 -0
data/vendor/v8/src/full-codegen.cc +2 -1
data/vendor/v8/src/func-name-inferrer.h +2 -0
data/vendor/v8/src/globals.h +3 -0
data/vendor/v8/src/heap-inl.h +16 -4
data/vendor/v8/src/heap.cc +38 -32
data/vendor/v8/src/heap.h +3 -17
data/vendor/v8/src/hydrogen-instructions.cc +28 -5
data/vendor/v8/src/hydrogen-instructions.h +142 -44
data/vendor/v8/src/hydrogen.cc +160 -55
data/vendor/v8/src/hydrogen.h +2 -0
data/vendor/v8/src/ia32/assembler-ia32.h +3 -0
data/vendor/v8/src/ia32/builtins-ia32.cc +5 -4
data/vendor/v8/src/ia32/code-stubs-ia32.cc +22 -16
data/vendor/v8/src/ia32/codegen-ia32.cc +2 -2
data/vendor/v8/src/ia32/debug-ia32.cc +29 -2
data/vendor/v8/src/ia32/full-codegen-ia32.cc +8 -101
data/vendor/v8/src/ia32/ic-ia32.cc +23 -19
data/vendor/v8/src/ia32/lithium-codegen-ia32.cc +126 -80
data/vendor/v8/src/ia32/lithium-codegen-ia32.h +2 -1
data/vendor/v8/src/ia32/lithium-ia32.cc +15 -9
data/vendor/v8/src/ia32/lithium-ia32.h +14 -6
data/vendor/v8/src/ia32/macro-assembler-ia32.cc +50 -40
data/vendor/v8/src/ia32/macro-assembler-ia32.h +5 -4
data/vendor/v8/src/ia32/regexp-macro-assembler-ia32.cc +113 -43
data/vendor/v8/src/ia32/regexp-macro-assembler-ia32.h +9 -4
data/vendor/v8/src/ia32/simulator-ia32.h +4 -4
data/vendor/v8/src/ia32/stub-cache-ia32.cc +52 -14
data/vendor/v8/src/ic.cc +77 -20
data/vendor/v8/src/ic.h +18 -2
data/vendor/v8/src/incremental-marking-inl.h +21 -5
data/vendor/v8/src/incremental-marking.cc +35 -8
data/vendor/v8/src/incremental-marking.h +12 -3
data/vendor/v8/src/isolate.cc +12 -2
data/vendor/v8/src/isolate.h +1 -1
data/vendor/v8/src/jsregexp.cc +66 -26
data/vendor/v8/src/jsregexp.h +60 -31
data/vendor/v8/src/list-inl.h +8 -0
data/vendor/v8/src/list.h +3 -0
data/vendor/v8/src/lithium.cc +5 -2
data/vendor/v8/src/liveedit.cc +57 -5
data/vendor/v8/src/mark-compact-inl.h +17 -11
data/vendor/v8/src/mark-compact.cc +100 -143
data/vendor/v8/src/mark-compact.h +44 -20
data/vendor/v8/src/messages.js +131 -99
data/vendor/v8/src/mips/builtins-mips.cc +5 -4
data/vendor/v8/src/mips/code-stubs-mips.cc +23 -15
data/vendor/v8/src/mips/codegen-mips.cc +2 -2
data/vendor/v8/src/mips/debug-mips.cc +3 -1
data/vendor/v8/src/mips/full-codegen-mips.cc +4 -102
data/vendor/v8/src/mips/ic-mips.cc +34 -36
data/vendor/v8/src/mips/lithium-codegen-mips.cc +116 -68
data/vendor/v8/src/mips/lithium-mips.cc +20 -7
data/vendor/v8/src/mips/lithium-mips.h +11 -4
data/vendor/v8/src/mips/macro-assembler-mips.cc +50 -39
data/vendor/v8/src/mips/macro-assembler-mips.h +5 -4
data/vendor/v8/src/mips/regexp-macro-assembler-mips.cc +110 -50
data/vendor/v8/src/mips/regexp-macro-assembler-mips.h +6 -5
data/vendor/v8/src/mips/simulator-mips.h +5 -5
data/vendor/v8/src/mips/stub-cache-mips.cc +66 -20
data/vendor/v8/src/mksnapshot.cc +5 -1
data/vendor/v8/src/objects-debug.cc +103 -6
data/vendor/v8/src/objects-inl.h +215 -116
data/vendor/v8/src/objects-printer.cc +13 -8
data/vendor/v8/src/objects.cc +608 -331
data/vendor/v8/src/objects.h +129 -94
data/vendor/v8/src/parser.cc +16 -4
data/vendor/v8/src/platform-freebsd.cc +1 -0
data/vendor/v8/src/platform-linux.cc +9 -30
data/vendor/v8/src/platform-posix.cc +28 -7
data/vendor/v8/src/platform-win32.cc +15 -3
data/vendor/v8/src/platform.h +2 -1
data/vendor/v8/src/profile-generator-inl.h +25 -2
data/vendor/v8/src/profile-generator.cc +300 -822
data/vendor/v8/src/profile-generator.h +97 -214
data/vendor/v8/src/regexp-macro-assembler-irregexp.cc +2 -1
data/vendor/v8/src/regexp-macro-assembler-irregexp.h +2 -2
data/vendor/v8/src/regexp-macro-assembler-tracer.cc +6 -5
data/vendor/v8/src/regexp-macro-assembler-tracer.h +1 -1
data/vendor/v8/src/regexp-macro-assembler.cc +7 -3
data/vendor/v8/src/regexp-macro-assembler.h +10 -2
data/vendor/v8/src/regexp.js +6 -0
data/vendor/v8/src/runtime.cc +265 -212
data/vendor/v8/src/runtime.h +6 -5
data/vendor/v8/src/scopes.cc +20 -0
data/vendor/v8/src/scopes.h +6 -3
data/vendor/v8/src/spaces.cc +0 -2
data/vendor/v8/src/string-stream.cc +2 -2
data/vendor/v8/src/v8-counters.h +0 -2
data/vendor/v8/src/v8natives.js +2 -2
data/vendor/v8/src/v8utils.h +6 -3
data/vendor/v8/src/version.cc +1 -1
data/vendor/v8/src/x64/assembler-x64.h +2 -1
data/vendor/v8/src/x64/builtins-x64.cc +5 -4
data/vendor/v8/src/x64/code-stubs-x64.cc +25 -16
data/vendor/v8/src/x64/codegen-x64.cc +2 -2
data/vendor/v8/src/x64/debug-x64.cc +14 -1
data/vendor/v8/src/x64/disasm-x64.cc +1 -1
data/vendor/v8/src/x64/full-codegen-x64.cc +10 -106
data/vendor/v8/src/x64/ic-x64.cc +20 -16
data/vendor/v8/src/x64/lithium-codegen-x64.cc +156 -79
data/vendor/v8/src/x64/lithium-codegen-x64.h +2 -1
data/vendor/v8/src/x64/lithium-x64.cc +18 -8
data/vendor/v8/src/x64/lithium-x64.h +7 -2
data/vendor/v8/src/x64/macro-assembler-x64.cc +50 -40
data/vendor/v8/src/x64/macro-assembler-x64.h +5 -4
data/vendor/v8/src/x64/regexp-macro-assembler-x64.cc +122 -51
data/vendor/v8/src/x64/regexp-macro-assembler-x64.h +17 -8
data/vendor/v8/src/x64/simulator-x64.h +4 -4
data/vendor/v8/src/x64/stub-cache-x64.cc +55 -17
data/vendor/v8/test/cctest/cctest.status +1 -0
data/vendor/v8/test/cctest/test-api.cc +24 -0
data/vendor/v8/test/cctest/test-func-name-inference.cc +38 -0
data/vendor/v8/test/cctest/test-heap-profiler.cc +21 -77
data/vendor/v8/test/cctest/test-heap.cc +164 -3
data/vendor/v8/test/cctest/test-list.cc +12 -0
data/vendor/v8/test/cctest/test-mark-compact.cc +5 -5
data/vendor/v8/test/cctest/test-regexp.cc +14 -8
data/vendor/v8/test/cctest/testcfg.py +2 -0
data/vendor/v8/test/mjsunit/accessor-map-sharing.js +176 -0
data/vendor/v8/test/mjsunit/array-construct-transition.js +3 -3
data/vendor/v8/test/mjsunit/array-literal-transitions.js +10 -10
data/vendor/v8/test/mjsunit/big-array-literal.js +3 -0
data/vendor/v8/test/mjsunit/compiler/inline-construct.js +4 -2
data/vendor/v8/test/mjsunit/debug-liveedit-stack-padding.js +88 -0
data/vendor/v8/test/mjsunit/elements-kind.js +4 -4
data/vendor/v8/test/mjsunit/elements-transition-hoisting.js +2 -2
data/vendor/v8/test/mjsunit/elements-transition.js +5 -5
data/vendor/v8/test/mjsunit/error-constructors.js +68 -33
data/vendor/v8/test/mjsunit/harmony/proxies.js +14 -6
data/vendor/v8/test/mjsunit/mjsunit.status +1 -0
data/vendor/v8/test/mjsunit/packed-elements.js +112 -0
data/vendor/v8/test/mjsunit/regexp-capture-3.js +6 -0
data/vendor/v8/test/mjsunit/regexp-global.js +132 -0
data/vendor/v8/test/mjsunit/regexp.js +11 -0
data/vendor/v8/test/mjsunit/regress/regress-117409.js +52 -0
data/vendor/v8/test/mjsunit/regress/regress-126412.js +33 -0
data/vendor/v8/test/mjsunit/regress/regress-128018.js +35 -0
data/vendor/v8/test/mjsunit/regress/regress-128146.js +33 -0
data/vendor/v8/test/mjsunit/regress/regress-1639-2.js +4 -1
data/vendor/v8/test/mjsunit/regress/regress-1639.js +14 -8
data/vendor/v8/test/mjsunit/regress/regress-1849.js +3 -3
data/vendor/v8/test/mjsunit/regress/regress-1878.js +2 -2
data/vendor/v8/test/mjsunit/regress/regress-2071.js +79 -0
data/vendor/v8/test/mjsunit/regress/regress-2153.js +32 -0
data/vendor/v8/test/mjsunit/regress/regress-crbug-122271.js +4 -4
data/vendor/v8/test/mjsunit/regress/regress-crbug-126414.js +32 -0
data/vendor/v8/test/mjsunit/regress/regress-smi-only-concat.js +2 -2
data/vendor/v8/test/mjsunit/regress/regress-transcendental.js +49 -0
data/vendor/v8/test/mjsunit/stack-traces.js +14 -0
data/vendor/v8/test/mjsunit/unbox-double-arrays.js +4 -3
data/vendor/v8/test/test262/testcfg.py +6 -1
data/vendor/v8/tools/check-static-initializers.sh +11 -3
data/vendor/v8/tools/fuzz-harness.sh +92 -0
data/vendor/v8/tools/grokdump.py +658 -67
data/vendor/v8/tools/gyp/v8.gyp +21 -39
data/vendor/v8/tools/js2c.py +3 -3
data/vendor/v8/tools/jsmin.py +2 -2
data/vendor/v8/tools/presubmit.py +2 -1
data/vendor/v8/tools/test-wrapper-gypbuild.py +25 -11
metadata +624 -612

@@ -136,6 +136,14 @@ bool List<T, P>::RemoveElement(const T& elm) {
 }
+template<typename T, class P>
+void List<T, P>::Allocate(int length) {
+  DeleteData(data_);
+  Initialize(length);
+  length_ = length;
+}
 template<typename T, class P>
 void List<T, P>::Clear() {
   DeleteData(data_);

data/vendor/v8/src/list.h CHANGED

@@ -117,6 +117,9 @@ class List {
   // pointer type. Returns the removed element.
   INLINE(T RemoveLast()) { return Remove(length_ - 1); }
+  // Deletes current list contents and allocates space for 'length' elements.
+  INLINE(void Allocate(int length));
   // Clears the list by setting the length to zero. Even if T is a
   // pointer type, clearing the list doesn't delete the entries.
   INLINE(void Clear());

data/vendor/v8/src/lithium.cc CHANGED

@@ -1,4 +1,4 @@
-// Copyright 2011 the V8 project authors. All rights reserved.
+// Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -225,9 +225,12 @@ int ElementsKindToShiftSize(ElementsKind elements_kind) {
       return 2;
     case EXTERNAL_DOUBLE_ELEMENTS:
     case FAST_DOUBLE_ELEMENTS:
+    case FAST_HOLEY_DOUBLE_ELEMENTS:
       return 3;
-    case FAST_SMI_ONLY_ELEMENTS:
+    case FAST_SMI_ELEMENTS:
     case FAST_ELEMENTS:
+    case FAST_HOLEY_SMI_ELEMENTS:
+    case FAST_HOLEY_ELEMENTS:
     case DICTIONARY_ELEMENTS:
     case NON_STRICT_ARGUMENTS_ELEMENTS:
       return kPointerSizeLog2;

data/vendor/v8/src/liveedit.cc CHANGED

@@ -1,4 +1,4 @@
-// Copyright 2011 the V8 project authors. All rights reserved.
+// Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -30,6 +30,7 @@
 #include "liveedit.h"
+#include "code-stubs.h"
 #include "compilation-cache.h"
 #include "compiler.h"
 #include "debug.h"
@@ -1475,26 +1476,36 @@ static const char* DropFrames(Vector<StackFrame*> frames,
   // Check the nature of the top frame.
   Isolate* isolate = Isolate::Current();
   Code* pre_top_frame_code = pre_top_frame->LookupCode();
+  bool frame_has_padding;
   if (pre_top_frame_code->is_inline_cache_stub() &&
       pre_top_frame_code->ic_state() == DEBUG_BREAK) {
     // OK, we can drop inline cache calls.
     *mode = Debug::FRAME_DROPPED_IN_IC_CALL;
+    frame_has_padding = Debug::FramePaddingLayout::kIsSupported;
   } else if (pre_top_frame_code ==
              isolate->debug()->debug_break_slot()) {
     // OK, we can drop debug break slot.
     *mode = Debug::FRAME_DROPPED_IN_DEBUG_SLOT_CALL;
+    frame_has_padding = Debug::FramePaddingLayout::kIsSupported;
   } else if (pre_top_frame_code ==
       isolate->builtins()->builtin(
           Builtins::kFrameDropper_LiveEdit)) {
     // OK, we can drop our own code.
     *mode = Debug::FRAME_DROPPED_IN_DIRECT_CALL;
+    frame_has_padding = false;
   } else if (pre_top_frame_code ==
       isolate->builtins()->builtin(Builtins::kReturn_DebugBreak)) {
     *mode = Debug::FRAME_DROPPED_IN_RETURN_CALL;
+    frame_has_padding = Debug::FramePaddingLayout::kIsSupported;
   } else if (pre_top_frame_code->kind() == Code::STUB &&
-      pre_top_frame_code->major_key()) {
-    // Entry from our unit tests, it's fine, we support this case.
+      pre_top_frame_code->major_key() == CodeStub::CEntry) {
+    // Entry from our unit tests on 'debugger' statement.
+    // It's fine, we support this case.
     *mode = Debug::FRAME_DROPPED_IN_DIRECT_CALL;
+    // We don't have a padding from 'debugger' statement call.
+    // Here the stub is CEntry, it's not debug-only and can't be padded.
+    // If anyone would complain, a proxy padded stub could be added.
+    frame_has_padding = false;
   } else {
     return "Unknown structure of stack above changing function";
   }
@@ -1504,8 +1515,49 @@ static const char* DropFrames(Vector<StackFrame*> frames,
       - Debug::kFrameDropperFrameSize * kPointerSize  // Size of the new frame.
       + kPointerSize;  // Bigger address end is exclusive.
+  Address* top_frame_pc_address = top_frame->pc_address();
+  // top_frame may be damaged below this point. Do not used it.
+  ASSERT(!(top_frame = NULL));
   if (unused_stack_top > unused_stack_bottom) {
-    return "Not enough space for frame dropper frame";
+    if (frame_has_padding) {
+      int shortage_bytes =
+          static_cast<int>(unused_stack_top - unused_stack_bottom);
+      Address padding_start = pre_top_frame->fp() -
+          Debug::FramePaddingLayout::kFrameBaseSize * kPointerSize;
+      Address padding_pointer = padding_start;
+      Smi* padding_object =
+          Smi::FromInt(Debug::FramePaddingLayout::kPaddingValue);
+      while (Memory::Object_at(padding_pointer) == padding_object) {
+        padding_pointer -= kPointerSize;
+      }
+      int padding_counter =
+          Smi::cast(Memory::Object_at(padding_pointer))->value();
+      if (padding_counter * kPointerSize < shortage_bytes) {
+        return "Not enough space for frame dropper frame "
+            "(even with padding frame)";
+      }
+      Memory::Object_at(padding_pointer) =
+          Smi::FromInt(padding_counter - shortage_bytes / kPointerSize);
+      StackFrame* pre_pre_frame = frames[top_frame_index - 2];
+      memmove(padding_start + kPointerSize - shortage_bytes,
+          padding_start + kPointerSize,
+          Debug::FramePaddingLayout::kFrameBaseSize * kPointerSize);
+      pre_top_frame->UpdateFp(pre_top_frame->fp() - shortage_bytes);
+      pre_pre_frame->SetCallerFp(pre_top_frame->fp());
+      unused_stack_top -= shortage_bytes;
+      STATIC_ASSERT(sizeof(Address) == kPointerSize);
+      top_frame_pc_address -= shortage_bytes / kPointerSize;
+    } else {
+      return "Not enough space for frame dropper frame";
+    }
   }
   // Committing now. After this point we should return only NULL value.
@@ -1515,7 +1567,7 @@ static const char* DropFrames(Vector<StackFrame*> frames,
   ASSERT(!FixTryCatchHandler(pre_top_frame, bottom_js_frame));
   Handle<Code> code = Isolate::Current()->builtins()->FrameDropper_LiveEdit();
-  top_frame->set_pc(code->entry());
+  *top_frame_pc_address = code->entry();
   pre_top_frame->SetCallerFp(bottom_js_frame->fp());
   *restarter_frame_function_pointer =

data/vendor/v8/src/mark-compact-inl.h CHANGED

@@ -1,4 +1,4 @@
-// Copyright 2011 the V8 project authors. All rights reserved.
+// Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
@@ -52,6 +52,15 @@ void MarkCompactCollector::SetFlags(int flags) {
 }
+bool MarkCompactCollector::MarkObjectAndPush(HeapObject* obj) {
+  if (MarkObjectWithoutPush(obj)) {
+    marking_deque_.PushBlack(obj);
+    return true;
+  }
+  return false;
+}
 void MarkCompactCollector::MarkObject(HeapObject* obj, MarkBit mark_bit) {
   ASSERT(Marking::MarkBitFrom(obj) == mark_bit);
   if (!mark_bit.Get()) {
@@ -62,16 +71,13 @@ void MarkCompactCollector::MarkObject(HeapObject* obj, MarkBit mark_bit) {
 }
-bool MarkCompactCollector::MarkObjectWithoutPush(HeapObject* object) {
-  MarkBit mark = Marking::MarkBitFrom(object);
-  bool old_mark = mark.Get();
-  if (!old_mark) SetMark(object, mark);
-  return old_mark;
-}
-void MarkCompactCollector::MarkObjectAndPush(HeapObject* object) {
-  if (!MarkObjectWithoutPush(object)) marking_deque_.PushBlack(object);
+bool MarkCompactCollector::MarkObjectWithoutPush(HeapObject* obj) {
+  MarkBit mark_bit = Marking::MarkBitFrom(obj);
+  if (!mark_bit.Get()) {
+    SetMark(obj, mark_bit);
+    return true;
+  }
+  return false;
 }

data/vendor/v8/src/mark-compact.cc CHANGED

@@ -64,13 +64,13 @@ MarkCompactCollector::MarkCompactCollector() :  // NOLINT
       abort_incremental_marking_(false),
       compacting_(false),
       was_marked_incrementally_(false),
-      collect_maps_(FLAG_collect_maps),
       flush_monomorphic_ics_(false),
       tracer_(NULL),
       migration_slots_buffer_(NULL),
       heap_(NULL),
       code_flusher_(NULL),
-      encountered_weak_maps_(NULL) { }
+      encountered_weak_maps_(NULL),
+      marker_(this, this) { }
 #ifdef DEBUG
@@ -282,7 +282,7 @@ void MarkCompactCollector::CollectGarbage() {
   MarkLiveObjects();
   ASSERT(heap_->incremental_marking()->IsStopped());
-  if (collect_maps_) ClearNonLiveTransitions();
+  if (FLAG_collect_maps) ClearNonLiveTransitions();
   ClearWeakMaps();
@@ -294,7 +294,7 @@ void MarkCompactCollector::CollectGarbage() {
   SweepSpaces();
-  if (!collect_maps_) ReattachInitialMaps();
+  if (!FLAG_collect_maps) ReattachInitialMaps();
   Finish();
@@ -658,11 +658,6 @@ void MarkCompactCollector::AbortCompaction() {
 void MarkCompactCollector::Prepare(GCTracer* tracer) {
   was_marked_incrementally_ = heap()->incremental_marking()->IsMarking();
-  // Disable collection of maps if incremental marking is enabled.
-  // Map collection algorithm relies on a special map transition tree traversal
-  // order which is not implemented for incremental marking.
-  collect_maps_ = FLAG_collect_maps && !was_marked_incrementally_;
   // Monomorphic ICs are preserved when possible, but need to be flushed
   // when they might be keeping a Context alive, or when the heap is about
   // to be serialized.
@@ -680,7 +675,6 @@ void MarkCompactCollector::Prepare(GCTracer* tracer) {
   ASSERT(!FLAG_never_compact || !FLAG_always_compact);
-  if (collect_maps_) CreateBackPointers();
 #ifdef ENABLE_GDB_JIT_INTERFACE
   if (FLAG_gdbjit) {
     // If GDBJIT interface is active disable compaction.
@@ -1186,16 +1180,7 @@ class StaticMarkingVisitor : public StaticVisitorBase {
     Heap* heap = map->GetHeap();
     Code* code = reinterpret_cast<Code*>(object);
     if (FLAG_cleanup_code_caches_at_gc) {
-      Object* raw_info = code->type_feedback_info();
-      if (raw_info->IsTypeFeedbackInfo()) {
-        TypeFeedbackCells* type_feedback_cells =
-            TypeFeedbackInfo::cast(raw_info)->type_feedback_cells();
-        for (int i = 0; i < type_feedback_cells->CellCount(); i++) {
-          ASSERT(type_feedback_cells->AstId(i)->IsSmi());
-          JSGlobalPropertyCell* cell = type_feedback_cells->Cell(i);
-          cell->set_value(TypeFeedbackCells::RawUninitializedSentinel(heap));
-        }
-      }
+      code->ClearTypeFeedbackCells(heap);
     }
     code->CodeIterateBody<StaticMarkingVisitor>(heap);
   }
@@ -1808,11 +1793,11 @@ void MarkCompactCollector::ProcessNewlyMarkedObject(HeapObject* object) {
     heap_->ClearCacheOnMap(map);
     // When map collection is enabled we have to mark through map's transitions
-    // in a special way to make transition links weak.
-    // Only maps for subclasses of JSReceiver can have transitions.
+    // in a special way to make transition links weak. Only maps for subclasses
+    // of JSReceiver can have transitions.
     STATIC_ASSERT(LAST_TYPE == LAST_JS_RECEIVER_TYPE);
-    if (collect_maps_ && map->instance_type() >= FIRST_JS_RECEIVER_TYPE) {
-      MarkMapContents(map);
+    if (FLAG_collect_maps && map->instance_type() >= FIRST_JS_RECEIVER_TYPE) {
+      marker_.MarkMapContents(map);
     } else {
       marking_deque_.PushBlack(map);
     }
@@ -1822,79 +1807,85 @@ void MarkCompactCollector::ProcessNewlyMarkedObject(HeapObject* object) {
 }
-void MarkCompactCollector::MarkMapContents(Map* map) {
+// Force instantiation of template instances.
+template void Marker<IncrementalMarking>::MarkMapContents(Map* map);
+template void Marker<MarkCompactCollector>::MarkMapContents(Map* map);
+template <class T>
+void Marker<T>::MarkMapContents(Map* map) {
   // Mark prototype transitions array but don't push it into marking stack.
   // This will make references from it weak. We will clean dead prototype
   // transitions in ClearNonLiveTransitions.
-  FixedArray* prototype_transitions = map->prototype_transitions();
-  MarkBit mark = Marking::MarkBitFrom(prototype_transitions);
-  if (!mark.Get()) {
-    mark.Set();
-    MemoryChunk::IncrementLiveBytesFromGC(prototype_transitions->address(),
-                                          prototype_transitions->Size());
+  Object** proto_trans_slot =
+      HeapObject::RawField(map, Map::kPrototypeTransitionsOrBackPointerOffset);
+  HeapObject* prototype_transitions = HeapObject::cast(*proto_trans_slot);
+  if (prototype_transitions->IsFixedArray()) {
+    mark_compact_collector()->RecordSlot(proto_trans_slot,
+                                         proto_trans_slot,
+                                         prototype_transitions);
+    MarkBit mark = Marking::MarkBitFrom(prototype_transitions);
+    if (!mark.Get()) {
+      mark.Set();
+      MemoryChunk::IncrementLiveBytesFromGC(prototype_transitions->address(),
+                                            prototype_transitions->Size());
+    }
   }
-  Object** raw_descriptor_array_slot =
+  // Make sure that the back pointer stored either in the map itself or inside
+  // its prototype transitions array is marked. Treat pointers in the descriptor
+  // array as weak and also mark that array to prevent visiting it later.
+  base_marker()->MarkObjectAndPush(HeapObject::cast(map->GetBackPointer()));
+  Object** descriptor_array_slot =
       HeapObject::RawField(map, Map::kInstanceDescriptorsOrBitField3Offset);
-  Object* raw_descriptor_array = *raw_descriptor_array_slot;
-  if (!raw_descriptor_array->IsSmi()) {
-    MarkDescriptorArray(
-        reinterpret_cast<DescriptorArray*>(raw_descriptor_array));
+  Object* descriptor_array = *descriptor_array_slot;
+  if (!descriptor_array->IsSmi()) {
+    MarkDescriptorArray(reinterpret_cast<DescriptorArray*>(descriptor_array));
+  }
+  // Mark the Object* fields of the Map. Since the descriptor array has been
+  // marked already, it is fine that one of these fields contains a pointer
+  // to it. But make sure to skip back pointer and prototype transitions.
+  STATIC_ASSERT(Map::kPointerFieldsEndOffset ==
+      Map::kPrototypeTransitionsOrBackPointerOffset + kPointerSize);
+  Object** start_slot = HeapObject::RawField(
+      map, Map::kPointerFieldsBeginOffset);
+  Object** end_slot = HeapObject::RawField(
+      map, Map::kPrototypeTransitionsOrBackPointerOffset);
+  for (Object** slot = start_slot; slot < end_slot; slot++) {
+    Object* obj = *slot;
+    if (!obj->NonFailureIsHeapObject()) continue;
+    mark_compact_collector()->RecordSlot(start_slot, slot, obj);
+    base_marker()->MarkObjectAndPush(reinterpret_cast<HeapObject*>(obj));
   }
-  // Mark the Object* fields of the Map.
-  // Since the descriptor array has been marked already, it is fine
-  // that one of these fields contains a pointer to it.
-  Object** start_slot = HeapObject::RawField(map,
-                                             Map::kPointerFieldsBeginOffset);
-  Object** end_slot = HeapObject::RawField(map, Map::kPointerFieldsEndOffset);
-  StaticMarkingVisitor::VisitPointers(map->GetHeap(), start_slot, end_slot);
 }
-void MarkCompactCollector::MarkAccessorPairSlot(HeapObject* accessors,
-                                                int offset) {
-  Object** slot = HeapObject::RawField(accessors, offset);
-  HeapObject* accessor = HeapObject::cast(*slot);
-  if (accessor->IsMap()) return;
-  RecordSlot(slot, slot, accessor);
-  MarkObjectAndPush(accessor);
-}
-void MarkCompactCollector::MarkDescriptorArray(
-    DescriptorArray* descriptors) {
-  MarkBit descriptors_mark = Marking::MarkBitFrom(descriptors);
-  if (descriptors_mark.Get()) return;
+template <class T>
+void Marker<T>::MarkDescriptorArray(DescriptorArray* descriptors) {
   // Empty descriptor array is marked as a root before any maps are marked.
-  ASSERT(descriptors != heap()->empty_descriptor_array());
-  SetMark(descriptors, descriptors_mark);
+  ASSERT(descriptors != descriptors->GetHeap()->empty_descriptor_array());
-  FixedArray* contents = reinterpret_cast<FixedArray*>(
+  // The DescriptorArray contains a pointer to its contents array, but the
+  // contents array will be marked black and hence not be visited again.
+  if (!base_marker()->MarkObjectAndPush(descriptors)) return;
+  FixedArray* contents = FixedArray::cast(
       descriptors->get(DescriptorArray::kContentArrayIndex));
-  ASSERT(contents->IsHeapObject());
-  ASSERT(!IsMarked(contents));
-  ASSERT(contents->IsFixedArray());
-  ASSERT(contents->length() >= 2);
-  MarkBit contents_mark = Marking::MarkBitFrom(contents);
-  SetMark(contents, contents_mark);
-  // Contents contains (value, details) pairs.  If the details say that the type
-  // of descriptor is MAP_TRANSITION, CONSTANT_TRANSITION,
-  // EXTERNAL_ARRAY_TRANSITION or NULL_DESCRIPTOR, we don't mark the value as
-  // live.  Only for MAP_TRANSITION, EXTERNAL_ARRAY_TRANSITION and
-  // CONSTANT_TRANSITION is the value an Object* (a Map*).
-  for (int i = 0; i < contents->length(); i += 2) {
-    // If the pair (value, details) at index i, i+1 is not
-    // a transition or null descriptor, mark the value.
-    PropertyDetails details(Smi::cast(contents->get(i + 1)));
-    Object** slot = contents->data_start() + i;
+  ASSERT(Marking::IsWhite(Marking::MarkBitFrom(contents)));
+  base_marker()->MarkObjectWithoutPush(contents);
+  // If the descriptor contains a transition (value is a Map), we don't mark the
+  // value as live. It might be set to the NULL_DESCRIPTOR in
+  // ClearNonLiveTransitions later.
+  for (int i = 0; i < descriptors->number_of_descriptors(); ++i) {
+    PropertyDetails details(descriptors->GetDetails(i));
+    Object** slot = descriptors->GetValueSlot(i);
     if (!(*slot)->IsHeapObject()) continue;
     HeapObject* value = HeapObject::cast(*slot);
-    RecordSlot(slot, slot, *slot);
+    mark_compact_collector()->RecordSlot(slot, slot, *slot);
     switch (details.type()) {
       case NORMAL:
@@ -1902,21 +1893,22 @@ void MarkCompactCollector::MarkDescriptorArray(
       case CONSTANT_FUNCTION:
       case HANDLER:
       case INTERCEPTOR:
-        MarkObjectAndPush(value);
+        base_marker()->MarkObjectAndPush(value);
         break;
       case CALLBACKS:
         if (!value->IsAccessorPair()) {
-          MarkObjectAndPush(value);
-        } else if (!MarkObjectWithoutPush(value)) {
-          MarkAccessorPairSlot(value, AccessorPair::kGetterOffset);
-          MarkAccessorPairSlot(value, AccessorPair::kSetterOffset);
+          base_marker()->MarkObjectAndPush(value);
+        } else if (base_marker()->MarkObjectWithoutPush(value)) {
+          AccessorPair* accessors = AccessorPair::cast(value);
+          MarkAccessorPairSlot(accessors, AccessorPair::kGetterOffset);
+          MarkAccessorPairSlot(accessors, AccessorPair::kSetterOffset);
         }
         break;
       case ELEMENTS_TRANSITION:
         // For maps with multiple elements transitions, the transition maps are
         // stored in a FixedArray. Keep the fixed array alive but not the maps
         // that it refers to.
-        if (value->IsFixedArray()) MarkObjectWithoutPush(value);
+        if (value->IsFixedArray()) base_marker()->MarkObjectWithoutPush(value);
         break;
       case MAP_TRANSITION:
       case CONSTANT_TRANSITION:
@@ -1924,26 +1916,16 @@ void MarkCompactCollector::MarkDescriptorArray(
         break;
     }
   }
-  // The DescriptorArray descriptors contains a pointer to its contents array,
-  // but the contents array is already marked.
-  marking_deque_.PushBlack(descriptors);
 }
-void MarkCompactCollector::CreateBackPointers() {
-  HeapObjectIterator iterator(heap()->map_space());
-  for (HeapObject* next_object = iterator.Next();
-       next_object != NULL; next_object = iterator.Next()) {
-    if (next_object->IsMap()) {  // Could also be FreeSpace object on free list.
-      Map* map = Map::cast(next_object);
-      STATIC_ASSERT(LAST_TYPE == LAST_JS_RECEIVER_TYPE);
-      if (map->instance_type() >= FIRST_JS_RECEIVER_TYPE) {
-        map->CreateBackPointers();
-      } else {
-        ASSERT(map->instance_descriptors() == heap()->empty_descriptor_array());
-      }
-    }
-  }
+template <class T>
+void Marker<T>::MarkAccessorPairSlot(AccessorPair* accessors, int offset) {
+  Object** slot = HeapObject::RawField(accessors, offset);
+  HeapObject* accessor = HeapObject::cast(*slot);
+  if (accessor->IsMap()) return;
+  mark_compact_collector()->RecordSlot(slot, slot, accessor);
+  base_marker()->MarkObjectAndPush(accessor);
 }
@@ -2470,15 +2452,8 @@ void MarkCompactCollector::ReattachInitialMaps() {
 void MarkCompactCollector::ClearNonLiveTransitions() {
   HeapObjectIterator map_iterator(heap()->map_space());
   // Iterate over the map space, setting map transitions that go from
-  // a marked map to an unmarked map to null transitions.  At the same time,
-  // set all the prototype fields of maps back to their original value,
-  // dropping the back pointers temporarily stored in the prototype field.
-  // Setting the prototype field requires following the linked list of
-  // back pointers, reversing them all at once.  This allows us to find
-  // those maps with map transitions that need to be nulled, and only
-  // scan the descriptor arrays of those maps, not all maps.
-  // All of these actions are carried out only on maps of JSObjects
-  // and related subtypes.
+  // a marked map to an unmarked map to null transitions.  This action
+  // is carried out only on maps of JSObjects and related subtypes.
   for (HeapObject* obj = map_iterator.Next();
        obj != NULL; obj = map_iterator.Next()) {
     Map* map = reinterpret_cast<Map*>(obj);
@@ -2554,36 +2529,16 @@ void MarkCompactCollector::ClearNonLivePrototypeTransitions(Map* map) {
 void MarkCompactCollector::ClearNonLiveMapTransitions(Map* map,
                                                       MarkBit map_mark) {
-  // Follow the chain of back pointers to find the prototype.
-  Object* real_prototype = map;
-  while (real_prototype->IsMap()) {
-    real_prototype = Map::cast(real_prototype)->prototype();
-    ASSERT(real_prototype->IsHeapObject());
-  }
+  Object* potential_parent = map->GetBackPointer();
+  if (!potential_parent->IsMap()) return;
+  Map* parent = Map::cast(potential_parent);
-  // Follow back pointers, setting them to prototype, clearing map transitions
-  // when necessary.
-  Map* current = map;
+  // Follow back pointer, check whether we are dealing with a map transition
+  // from a live map to a dead path and in case clear transitions of parent.
   bool current_is_alive = map_mark.Get();
-  bool on_dead_path = !current_is_alive;
-  while (current->IsMap()) {
-    Object* next = current->prototype();
-    // There should never be a dead map above a live map.
-    ASSERT(on_dead_path || current_is_alive);
-    // A live map above a dead map indicates a dead transition. This test will
-    // always be false on the first iteration.
-    if (on_dead_path && current_is_alive) {
-      on_dead_path = false;
-      current->ClearNonLiveTransitions(heap(), real_prototype);
-    }
-    Object** slot = HeapObject::RawField(current, Map::kPrototypeOffset);
-    *slot = real_prototype;
-    if (current_is_alive) RecordSlot(slot, slot, real_prototype);
-    current = reinterpret_cast<Map*>(next);
-    current_is_alive = Marking::MarkBitFrom(current).Get();
+  bool parent_is_alive = Marking::MarkBitFrom(parent).Get();
+  if (!current_is_alive && parent_is_alive) {
+    parent->ClearNonLiveTransitions(heap());
   }
 }
@@ -2782,7 +2737,9 @@ static void UpdatePointer(HeapObject** p, HeapObject* object) {
     // We have to zap this pointer, because the store buffer may overflow later,
     // and then we have to scan the entire heap and we don't want to find
     // spurious newspace pointers in the old space.
-    *p = reinterpret_cast<HeapObject*>(Smi::FromInt(0));
+    // TODO(mstarzinger): This was changed to a sentinel value to track down
+    // rare crashes, change it back to Smi::FromInt(0) later.
+    *p = reinterpret_cast<HeapObject*>(Smi::FromInt(0x0f100d00 >> 1));  // flood
   }
 }
@@ -3838,7 +3795,7 @@ void MarkCompactCollector::SweepSpace(PagedSpace* space, SweeperType sweeper) {
   bool lazy_sweeping_active = false;
   bool unused_page_present = false;
-  intptr_t old_space_size = heap()->PromotedSpaceSize();
+  intptr_t old_space_size = heap()->PromotedSpaceSizeOfObjects();
   intptr_t space_left =
       Min(heap()->OldGenPromotionLimit(old_space_size),
           heap()->OldGenAllocationLimit(old_space_size)) - old_space_size;