[wasm] Reset g_thread_in_wasm_code in Runtime_Allocate

As a short-term mitigation for the abort() crash that happens when the g_thread_in_wasm_code flag is set while we attempt to free a Wasm code object as part of a GC cycle, clear the flag in Runtime_AllocateInYoungGeneration. (The ...OldGeneration counterpart is not affected because Wasm code does not request pretenured allocations currently.) Bug: chromium:1236668 Change-Id: I97ab9f67935de9aaeca0815e374bdfd8076acf6f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110195Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#76423}

[wasm] Reset g_thread_in_wasm_code in Runtime_Allocate
As a short-term mitigation for the abort() crash that happens when the g_thread_in_wasm_code flag is set while we attempt to free a Wasm code object as part of a GC cycle, clear the flag in Runtime_AllocateInYoungGeneration. (The ...OldGeneration counterpart is not affected because Wasm code does not request pretenured allocations currently.) Bug: chromium:1236668 Change-Id: I97ab9f67935de9aaeca0815e374bdfd8076acf6f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110195Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#76423}
2f9599fa · Jakob Kummerow · V8 LUCI CQ · d7d71adc · 2f9599fa
Commit 2f9599fa authored Aug 22, 2021 by Jakob Kummerow Committed by V8 LUCI CQ Aug 23, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 0 deletions

runtime-internal.cc src/runtime/runtime-internal.cc +42 -0

No files found.
--- a/src/runtime/runtime-internal.cc
+++ b/src/runtime/runtime-internal.cc
@@ -31,6 +31,12 @@
 #include "src/strings/string-builder-inl.h"
 #include "src/utils/ostreams.h"

+#if V8_ENABLE_WEBASSEMBLY
+// TODO(jkummerow): Drop this when the "SaveAndClearThreadInWasmFlag"
+// short-term mitigation is no longer needed.
+#include "src/trap-handler/trap-handler.h"
+#endif  // V8_ENABLE_WEBASSEMBLY
+
 namespace v8 {
 namespace internal {

@@ -418,6 +424,34 @@ RUNTIME_FUNCTION(Runtime_BytecodeBudgetInterruptFromCode) {
  return ReadOnlyRoots(isolate).undefined_value();
 }

+namespace {
+
+#if V8_ENABLE_WEBASSEMBLY
+class SaveAndClearThreadInWasmFlag {
+ public:
+  SaveAndClearThreadInWasmFlag() {
+    if (trap_handler::IsTrapHandlerEnabled()) {
+      if (trap_handler::IsThreadInWasm()) {
+        thread_was_in_wasm_ = true;
+        trap_handler::ClearThreadInWasm();
+      }
+    }
+  }
+  ~SaveAndClearThreadInWasmFlag() {
+    if (thread_was_in_wasm_) {
+      trap_handler::SetThreadInWasm();
+    }
+  }
+
+ private:
+  bool thread_was_in_wasm_{false};
+};
+#else
+class SaveAndClearThreadInWasmFlag {};
+#endif  // V8_ENABLE_WEBASSEMBLY
+
+}  // namespace
+
 RUNTIME_FUNCTION(Runtime_AllocateInYoungGeneration) {
  HandleScope scope(isolate);
  DCHECK_EQ(2, args.length());
@@ -434,6 +468,14 @@ RUNTIME_FUNCTION(Runtime_AllocateInYoungGeneration) {
    CHECK(size <= kMaxRegularHeapObjectSize);
  }

+#if V8_ENABLE_WEBASSEMBLY
+  // Short-term mitigation for crbug.com/1236668. When this is called from
+  // WasmGC code, clear the "thread in wasm" flag, which is important in case
+  // any GC needs to happen.
+  // TODO(jkummerow): Find a better fix, likely by replacing the global flag.
+  SaveAndClearThreadInWasmFlag clear_wasm_flag;
+#endif  // V8_ENABLE_WEBASSEMBLY
+
  // TODO(v8:9472): Until double-aligned allocation is fixed for new-space
  // allocations, don't request it.
  double_align = false;