• Sathya Gunasekaran's avatar
    Revert "Reland "[compiler] Consider IsPendingAllocation in Ref construction"" · abfdbaf2
    Sathya Gunasekaran authored
    This reverts commit 4683d6fe.
    
    Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/36744/overview
    
    
    Original change's description:
    > Reland "[compiler] Consider IsPendingAllocation in Ref construction"
    >
    > This is a reland of 5f0ac36c
    >
    > Fixes Ref construction failures in:
    > - MapRef::instance_descriptors
    > - NativeContext reads (see also crrev.com/c/2891575)
    >
    > Original change's description:
    > > [compiler] Consider IsPendingAllocation in Ref construction
    > >
    > > The logic in JSHeapBroker::TryGetOrCreateData assumes that parts
    > > of the object are safe to read. In particular, the instance type
    > > must be readable for the chain of `Is##Name()` type checks.
    > >
    > > This is guaranteed if
    > >
    > >  - a global memory fence happened after object initialization and
    > >    prior to the read by the compiler; or
    > >  - the object was published through a release store and read through
    > >    an acquire read.
    > >
    > > The former is protected by the new call to ObjectMayBeUninitialized
    > > (which internally calls IsPendingAllocation) in TryGetOrCreateData.
    > >
    > > The latter must be marked explicitly by calling the new
    > > MakeRefAssumeMemoryFence variant.
    > >
    > > Note that support in this CL is expected to be incomplete and will
    > > have to be extended in the future as more cases show up in which
    > > MakeRef calls must be converted to MakeRefAssumeMemoryFence or to
    > > TryMakeRef.
    > >
    > > Bug: v8:7790,v8:11711
    > > Change-Id: Ic2f7d9fc46e4bfc3f6bbe42816f73fc5ec174337
    > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874663
    > > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    > > Reviewed-by: Georg Neis <neis@chromium.org>
    > > Cr-Commit-Position: refs/heads/master@{#74474}
    >
    > Bug: v8:7790,v8:11711,chromium:1207680,chromium:1207679
    > Change-Id: Ib3dbf59909e6982a3230dd6a67c9fb7d6ffb9ab4
    > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2886861
    > Reviewed-by: Georg Neis <neis@chromium.org>
    > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#74587}
    
    Bug: v8:7790
    Bug: v8:11711
    Bug: chromium:1207680
    Bug: chromium:1207679
    Change-Id: I8cd45ac006b7b5f3d668d0df272bcba880c75926
    No-Presubmit: true
    No-Tree-Checks: true
    No-Try: true
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2901990Reviewed-by: 's avatarSathya Gunasekaran  <gsathya@chromium.org>
    Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#74621}
    abfdbaf2
js-heap-broker.cc 44 KB