[wasm-gc] Fix garbage collection for structs

When the garbage collector needs to get a struct's type information, it must be prepared to deal with forwarding pointers, as those will only get cleaned up at the end of the GC cycle. Bug: v8:7748 Change-Id: Ifdfdffcef27d1dbe07c86a3abd17711f46c1b900 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2187732 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#67648}

[wasm-gc] Fix garbage collection for structs
When the garbage collector needs to get a struct's type information, it must be prepared to deal with forwarding pointers, as those will only get cleaned up at the end of the GC cycle. Bug: v8:7748 Change-Id: Ifdfdffcef27d1dbe07c86a3abd17711f46c1b900 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2187732 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#67648}
13968f9e · Jakob Kummerow · Commit Bot · b40a6fd4 · 13968f9e · 13968f9e
Commit 13968f9e authored May 07, 2020 by Jakob Kummerow Committed by Commit Bot May 07, 2020
4 changed files
--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@@ -813,7 +813,7 @@ class WasmStruct::BodyDescriptor final : public BodyDescriptorBase {
  static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                 ObjectVisitor* v) {
    WasmStruct wasm_struct = WasmStruct::cast(obj);
-    wasm::StructType* type = WasmStruct::type(map);
+    wasm::StructType* type = WasmStruct::GcSafeType(map);
    for (uint32_t i = 0; i < type->field_count(); i++) {
      if (!type->field(i).IsReferenceType()) continue;
      int offset =

--- a/src/wasm/module-instantiate.cc
+++ b/src/wasm/module-instantiate.cc
@@ -99,7 +99,7 @@ Handle<Map> CreateStructMap(Isolate* isolate, const WasmModule* module,
      isolate->factory()->NewForeign(reinterpret_cast<Address>(type));
  Handle<Map> map = isolate->factory()->NewMap(
      instance_type, instance_size, elements_kind, inobject_properties);
-  map->set_constructor_or_backpointer(*type_info);
+  map->set_wasm_type_info(*type_info);
  return map;
 }


--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@@ -417,8 +417,17 @@ ACCESSORS(AsmWasmData, export_wrappers, FixedArray, kExportWrappersOffset)
 ACCESSORS(AsmWasmData, uses_bitset, HeapNumber, kUsesBitsetOffset)

 wasm::StructType* WasmStruct::type(Map map) {
+  Foreign foreign = map.wasm_type_info();
+  return reinterpret_cast<wasm::StructType*>(foreign.foreign_address());
+}
+
+wasm::StructType* WasmStruct::GcSafeType(Map map) {
  DCHECK_EQ(WASM_STRUCT_TYPE, map.instance_type());
-  Foreign foreign = Foreign::cast(map.constructor_or_backpointer());
+  HeapObject raw = HeapObject::cast(map.constructor_or_backpointer());
+  MapWord map_word = raw.map_word();
+  HeapObject forwarded =
+      map_word.IsForwardingAddress() ? map_word.ToForwardingAddress() : raw;
+  Foreign foreign = Foreign::cast(forwarded);
  return reinterpret_cast<wasm::StructType*>(foreign.foreign_address());
 }


--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@@ -942,6 +942,7 @@ class WasmStruct : public TorqueGeneratedWasmStruct<WasmStruct, HeapObject> {
 public:
  static inline wasm::StructType* type(Map map);
  inline wasm::StructType* type() const;
+  static inline wasm::StructType* GcSafeType(Map map);

  inline ObjectSlot RawField(int raw_offset);