[regexp] Release regexp zone memory during JS parsing

Since early regexp errors were implemented in crrev.com/a56874d3, the JS parser calls into the regexp parser to validate the regexp literal syntax. For these calls, the JS parser passes its Zone to the regexp parser. This means that scripts with multiple regexp literals are all parsed using the same Zone memory. Very large scripts with many (think hundreds of thousands) regexp literals may thus run out of memory whereas previously they would parse and run successfully. This CL fixes the OOMs by resetting the state of the JS parser Zone around regexp parser calls. We introduce a new ZoneScope class, similar to HandleScope, which controls the lifetime of zone objects allocated within its scope. In other words: { ZoneScope zone_scope(zone); // Store zone state S. // ... Allocate objects O in zone. // zone is now in state S'. } // zone_scope goes out of scope, reset zone to state S. Objects O // are freed and no longer usable. Fixed: chromium:1264014 Bug: v8:896 Change-Id: I3e7ac36f25a9d6c4eda2460bd1bea9814685e89b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3256783Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#77646}

[regexp] Release regexp zone memory during JS parsing
Since early regexp errors were implemented in crrev.com/a56874d3, the JS parser calls into the regexp parser to validate the regexp literal syntax. For these calls, the JS parser passes its Zone to the regexp parser. This means that scripts with multiple regexp literals are all parsed using the same Zone memory. Very large scripts with many (think hundreds of thousands) regexp literals may thus run out of memory whereas previously they would parse and run successfully. This CL fixes the OOMs by resetting the state of the JS parser Zone around regexp parser calls. We introduce a new ZoneScope class, similar to HandleScope, which controls the lifetime of zone objects allocated within its scope. In other words: { ZoneScope zone_scope(zone); // Store zone state S. // ... Allocate objects O in zone. // zone is now in state S'. } // zone_scope goes out of scope, reset zone to state S. Objects O // are freed and no longer usable. Fixed: chromium:1264014 Bug: v8:896 Change-Id: I3e7ac36f25a9d6c4eda2460bd1bea9814685e89b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3256783Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#77646}
30cab7b1 · Jakob Gruber · V8 LUCI CQ · 7cdf4c69 · 30cab7b1 · 30cab7b1
Commit 30cab7b1 authored Nov 02, 2021 by Jakob Gruber Committed by V8 LUCI CQ Nov 02, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 82 additions and 9 deletions

parser-base.h src/parsing/parser-base.h +2 -1

zone.cc src/zone/zone.cc +52 -8

zone.h src/zone/zone.h +28 -0

No files found.
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@@ -1805,6 +1805,7 @@ bool ParserBase<Impl>::ValidateRegExpLiteral(const AstRawString* pattern,
  // TODO(jgruber): If already validated in the preparser, skip validation in
  // the parser.
  DisallowGarbageCollection no_gc;
+  ZoneScope zone_scope(zone());  // Free regexp parser memory after use.
  const unsigned char* d = pattern->raw_data();
  if (pattern->is_one_byte()) {
    return RegExp::VerifySyntax(zone(), stack_limit(),
@@ -5328,7 +5329,7 @@ typename ParserBase<Impl>::BlockT ParserBase<Impl>::ParseBlock(
    body->set_scope(scope()->FinalizeBlockScope());
  }

-  body->InitializeStatements(statements, zone_);
+  body->InitializeStatements(statements, zone());
  return body;
 }


--- a/src/zone/zone.cc
+++ b/src/zone/zone.cc
@@ -89,14 +89,8 @@ void Zone::DeleteAll() {
  // Traverse the chained list of segments and return them all to the allocator.
  while (current) {
    Segment* next = current->next();
-    size_t size = current->total_size();
-
-    // Un-poison the segment content so we can re-use or zap it later.
-    ASAN_UNPOISON_MEMORY_REGION(reinterpret_cast<void*>(current->start()),
-                                current->capacity());
-
-    segment_bytes_allocated_ -= size;
-    allocator_->ReturnSegment(current, supports_compression());
+    segment_bytes_allocated_ -= current->total_size();
+    ReleaseSegment(current);
    current = next;
  }

@@ -107,6 +101,13 @@ void Zone::DeleteAll() {
 #endif
 }

+void Zone::ReleaseSegment(Segment* segment) {
+  // Un-poison the segment content so we can re-use or zap it later.
+  ASAN_UNPOISON_MEMORY_REGION(reinterpret_cast<void*>(segment->start()),
+                              segment->capacity());
+  allocator_->ReturnSegment(segment, supports_compression());
+}
+
 Address Zone::NewExpand(size_t size) {
  // Make sure the requested size is already properly aligned and that
  // there isn't enough room in the Zone to satisfy the request.
@@ -168,5 +169,48 @@ Address Zone::NewExpand(size_t size) {
  return result;
 }

+ZoneScope::ZoneScope(Zone* zone)
+    : zone_(zone),
+#ifdef V8_ENABLE_PRECISE_ZONE_STATS
+      allocation_size_for_tracing_(zone->allocation_size_for_tracing_),
+      freed_size_for_tracing_(zone->freed_size_for_tracing_),
+#endif
+      allocation_size_(zone->allocation_size_),
+      segment_bytes_allocated_(zone->segment_bytes_allocated_),
+      position_(zone->position_),
+      limit_(zone->limit_),
+      segment_head_(zone->segment_head_) {
+}
+
+ZoneScope::~ZoneScope() {
+  // Release segments up to the stored segment_head_.
+  Segment* current = zone_->segment_head_;
+  while (current != segment_head_) {
+    Segment* next = current->next();
+    zone_->ReleaseSegment(current);
+    current = next;
+  }
+
+  // Un-poison the trailing segment content so we can re-use or zap it later.
+  if (segment_head_ != nullptr) {
+    void* const start = reinterpret_cast<void*>(position_);
+    DCHECK_GE(start, reinterpret_cast<void*>(current->start()));
+    DCHECK_LE(start, reinterpret_cast<void*>(current->end()));
+    const size_t length = current->end() - reinterpret_cast<Address>(start);
+    ASAN_UNPOISON_MEMORY_REGION(start, length);
+  }
+
+  // Reset the Zone to the stored state.
+  zone_->allocation_size_ = allocation_size_;
+  zone_->segment_bytes_allocated_ = segment_bytes_allocated_;
+  zone_->position_ = position_;
+  zone_->limit_ = limit_;
+  zone_->segment_head_ = segment_head_;
+#ifdef V8_ENABLE_PRECISE_ZONE_STATS
+  zone_->allocation_size_for_tracing_ = allocation_size_for_tracing_;
+  zone_->freed_size_for_tracing_ = freed_size_for_tracing_;
+#endif
+}
+
 }  // namespace internal
 }  // namespace v8
--- a/src/zone/zone.h
+++ b/src/zone/zone.h
@@ -189,6 +189,10 @@ class V8_EXPORT_PRIVATE Zone final {
  // Deletes all objects and free all memory allocated in the Zone.
  void DeleteAll();

+  // Releases the current segment without performing any local bookkeeping
+  // (e.g. tracking allocated bytes, maintaining linked lists, etc).
+  void ReleaseSegment(Segment* segment);
+
  // All pointers returned from New() are 8-byte aligned.
  static const size_t kAlignmentInBytes = 8;

@@ -235,6 +239,30 @@ class V8_EXPORT_PRIVATE Zone final {
  // The number of bytes freed in this zone so far.
  size_t freed_size_for_tracing_ = 0;
 #endif
+
+  friend class ZoneScope;
+};
+
+// Similar to the HandleScope, the ZoneScope defines a region of validity for
+// zone memory. All memory allocated in the given Zone during the scope's
+// lifetime is freed when the scope is destructed, i.e. the Zone is reset to
+// the state it was in when the scope was created.
+class ZoneScope final {
+ public:
+  explicit ZoneScope(Zone* zone);
+  ~ZoneScope();
+
+ private:
+  Zone* const zone_;
+#ifdef V8_ENABLE_PRECISE_ZONE_STATS
+  const size_t allocation_size_for_tracing_;
+  const size_t freed_size_for_tracing_;
+#endif
+  const size_t allocation_size_;
+  const size_t segment_bytes_allocated_;
+  const Address position_;
+  const Address limit_;
+  Segment* const segment_head_;
 };

 // ZoneObject is an abstraction that helps define classes of objects