cppgc: Fix MarkingVerifier for in-construction objects

- Avoid invoking Trace() for in-construction objects as the method may
  access uninitialized fields, e.g., fields that have bogus state with
  zeroed memory like std::list.
- Conservatively scan in-construction objects for pointers.
- Verify that stack scan indeed finds all in-construction objects that
  are present on the heap and vice versa.

Bug: chromium:1056170
Change-Id: I2c68da2b8072f715b5a0dcdb1202d5f874c6c6e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2388106Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69670}

src/heap/cppgc/marking-verifier.cc

@@ -16,8 +16,11 @@ MarkingVerifier::MarkingVerifier(HeapBase& heap,
     : cppgc::Visitor(VisitorFactory::CreateKey()),
       ConservativeTracingVisitor(heap, *heap.page_backend(), *this) {
   Traverse(&heap.raw_heap());
-  if (stack_state == Heap::Config::StackState::kMayContainHeapPointers)
+  if (stack_state == Heap::Config::StackState::kMayContainHeapPointers) {
+    in_construction_objects_ = in_construction_objects_stack_;
     heap.stack()->IteratePointers(this);
+    CHECK_EQ(in_construction_objects_stack_, in_construction_objects_heap_);
+  }
 }
 
 void MarkingVerifier::Visit(const void* object, TraceDescriptor desc) {
@@ -42,6 +45,8 @@ void MarkingVerifier::VerifyChild(const void* base_object_payload) {
 void MarkingVerifier::VisitConservatively(
     HeapObjectHeader& header, TraceConservativelyCallback callback) {
   CHECK(header.IsMarked());
+  in_construction_objects_.insert(&header);
+  callback(this, header);
 }
 
 void MarkingVerifier::VisitPointer(const void* address) {
@@ -54,8 +59,14 @@ bool MarkingVerifier::VisitHeapObjectHeader(HeapObjectHeader* header) {
 
   DCHECK(!header->IsFree());
 
-  GlobalGCInfoTable::GCInfoFromIndex(header->GetGCInfoIndex())
-      .trace(this, header->Payload());
+  if (!header->IsInConstruction()) {
+    GlobalGCInfoTable::GCInfoFromIndex(header->GetGCInfoIndex())
+        .trace(this, header->Payload());
+  } else {
+    // Dispatches to conservative tracing implementation.
+    TraceConservativelyIfNeeded(*header);
+  }
+
   return true;
 }
 

src/heap/cppgc/marking-verifier.h

@@ -5,6 +5,8 @@
 #ifndef V8_HEAP_CPPGC_MARKING_VERIFIER_H_
 #define V8_HEAP_CPPGC_MARKING_VERIFIER_H_
 
+#include <unordered_set>
+
 #include "src/heap/base/stack.h"
 #include "src/heap/cppgc/heap-visitor.h"
 #include "src/heap/cppgc/heap.h"
@@ -34,6 +36,11 @@ class V8_EXPORT_PRIVATE MarkingVerifier final
   void VisitPointer(const void*) final;
 
   bool VisitHeapObjectHeader(HeapObjectHeader*);
+
+  std::unordered_set<const HeapObjectHeader*> in_construction_objects_heap_;
+  std::unordered_set<const HeapObjectHeader*> in_construction_objects_stack_;
+  std::unordered_set<const HeapObjectHeader*>& in_construction_objects_ =
+      in_construction_objects_heap_;
 };
 
 }  // namespace internal